From 77cfcff2ed003d1b886cfa5b2482adf8bf477f2e Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 29 Nov 2024 14:17:13 +0100
Subject: [PATCH 01/35] Fix toString.

---
 .../src/org/jdrupes/vmoperator/common/VmPool.java            | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 8da0a9f18..55746533c 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -93,9 +93,8 @@ public String toString() {
         if (vms.size() <= 3) {
             builder.append(vms);
         } else {
-            builder.append('[');
-            vms.stream().limit(3).map(s -> s + ",").forEach(builder::append);
-            builder.append("...]");
+            builder.append('[').append(vms.stream().limit(3).map(s -> s + ",")
+                .collect(Collectors.joining())).append("...]");
         }
         builder.append(']');
         return builder.toString();

From 367aebeee596c17695aa6ded9096037428d56ac2 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 13:41:18 +0100
Subject: [PATCH 02/35] Pool configurable in GUI.

---
 .../org/jdrupes/vmoperator/common/VmPool.java |   2 +
 .../vmaccess/VmAccess-edit.ftl.html           |  38 +-
 .../vmoperator/vmaccess/l10n_de.properties    |   2 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 337 ++++++++++++------
 .../vmaccess/browser/VmAccess-functions.ts    |  44 ++-
 .../vmaccess/browser/VmAccess-style.scss      |   5 +
 6 files changed, 295 insertions(+), 133 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 55746533c..4b29adc9d 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -60,6 +60,8 @@ public void setName(String name) {
     }
 
     /**
+     * All permissions.
+     *
      * @return the permissions
      */
     public List<Grant> permissions() {
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
index ba61399d1..1a10a7dd8 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
@@ -5,17 +5,33 @@
   data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps">
   <form :id="formId" ref="formDom" onsubmit="return false;">
     <section>
-      <span>{{ localize("Select VM") }}</span>
-      <p>
-        <label>
-          <span>{{ localize("VM") }}</span>
-          <select v-model="vmNameInput">
-          <#list vmNames as name>
-            <option value="${name}">${name}</option>
-          </#list>
-          </select>
-        </label>
-      </p>
+      <fieldset>
+        <legend>{{ localize("Select VM or pool") }}</legend>
+        <ul>
+          <li>
+            <label>
+              <input v-model="resource" type="radio" name="resource" value="vm">
+              <span>{{ localize("VM") }}</span>
+              <select v-model="vmNameInput" :disabled="resource !== 'vm'">
+              <#list vmNames as name>
+                <option value="${name}">${name}</option>
+              </#list>
+              </select>
+            </label>
+          </li>
+          <li>
+            <label>
+              <input v-model="resource" type="radio" name="resource" value="pool">
+              <span>{{ localize("Pool") }}</span>
+              <select v-model="poolNameInput" :disabled="resource !== 'pool'">
+              <#list poolNames as name>
+                <option value="${name}">${name}</option>
+              </#list>
+              </select>
+            </label>
+          </li>
+        </ul>
+      </fieldset>
     </section>
   </form>  
 </div>
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index bcdc33210..7d4ff231c 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -1,7 +1,7 @@
 conletName = VM-Zugriff
 
 okayLabel = Anwenden und Schließen
-Select\ VM = VM auswählen
+Select\ VM\ or\ pool = VM oder Pool auswählen
 
 Start\ VM = VM starten
 Stop\ VM = VM anhalten
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index e1a41efb4..f671e93a7 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -38,6 +38,7 @@
 import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -49,13 +50,14 @@
 import org.bouncycastle.util.Objects;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jdrupes.vmoperator.common.VmDefinition.Permission;
+import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
@@ -107,7 +109,7 @@
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports",
     "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods" })
-public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
+public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
     private static final String RENDERED
@@ -126,6 +128,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     private Set<String> syncUsers = Collections.emptySet();
     private Set<String> syncRoles = Collections.emptySet();
     private boolean deleteConnectionFile = true;
+    @SuppressWarnings("PMD.UseConcurrentHashMap")
+    private final Map<String, VmPool> vmPools = new HashMap<>();
 
     /**
      * The periodically generated update event.
@@ -247,20 +251,28 @@ public void onConsoleReady(ConsoleReady event, ConsoleConnection channel)
      * @throws InterruptedException the interrupted exception
      */
     @Handler
-    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onConsoleConfigured(ConsoleConfigured event,
             ConsoleConnection connection) throws InterruptedException,
             IOException {
         @SuppressWarnings("unchecked")
-        final var rendered = (Set<String>) connection.session().get(RENDERED);
+        final var rendered
+            = (Set<ResourceModel>) connection.session().get(RENDERED);
         connection.session().remove(RENDERED);
         if (!syncPreviews(connection.session())) {
             return;
         }
 
+        addMissingVms(event, connection, rendered);
+    }
+
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    private void addMissingVms(ConsoleConfigured event,
+            ConsoleConnection connection, final Set<ResourceModel> rendered) {
         boolean foundMissing = false;
         for (var vmName : accessibleVms(connection)) {
-            if (rendered.contains(vmName)) {
+            if (rendered.stream()
+                .anyMatch(r -> r.type() == ResourceModel.Type.VM
+                    && r.name().equals(vmName))) {
                 continue;
             }
             if (!foundMissing) {
@@ -300,13 +312,12 @@ private String storagePath(Session session, String conletId) {
     }
 
     @Override
-    protected Optional<ViewerModel> createNewState(AddConletRequest event,
+    protected Optional<ResourceModel> createNewState(AddConletRequest event,
             ConsoleConnection connection, String conletId) throws Exception {
-        var model = new ViewerModel(conletId);
-        model.vmName = (String) event.properties().get(VM_NAME_PROPERTY);
-        if (model.vmName != null) {
-            model.setGenerated(true);
-        }
+        var model = new ResourceModel(conletId);
+        model.setType(ResourceModel.Type.VM);
+        model
+            .setName((String) event.properties().get(VM_NAME_PROPERTY));
         String jsonState = objectMapper.writeValueAsString(model);
         connection.respond(new KeyValueStoreUpdate().update(
             storagePath(connection.session(), model.getConletId()), jsonState));
@@ -314,9 +325,9 @@ protected Optional<ViewerModel> createNewState(AddConletRequest event,
     }
 
     @Override
-    protected Optional<ViewerModel> createStateRepresentation(Event<?> event,
+    protected Optional<ResourceModel> createStateRepresentation(Event<?> event,
             ConsoleConnection connection, String conletId) throws Exception {
-        var model = new ViewerModel(conletId);
+        var model = new ResourceModel(conletId);
         String jsonState = objectMapper.writeValueAsString(model);
         connection.respond(new KeyValueStoreUpdate().update(
             storagePath(connection.session(), model.getConletId()), jsonState));
@@ -325,7 +336,7 @@ protected Optional<ViewerModel> createStateRepresentation(Event<?> event,
 
     @Override
     @SuppressWarnings("PMD.EmptyCatchBlock")
-    protected Optional<ViewerModel> recreateState(Event<?> event,
+    protected Optional<ResourceModel> recreateState(Event<?> event,
             ConsoleConnection channel, String conletId) throws Exception {
         KeyValueStoreQuery query = new KeyValueStoreQuery(
             storagePath(channel.session(), conletId), channel);
@@ -334,8 +345,8 @@ protected Optional<ViewerModel> recreateState(Event<?> event,
             if (!query.results().isEmpty()) {
                 var json = query.results().get(0).values().stream().findFirst()
                     .get();
-                ViewerModel model
-                    = objectMapper.readValue(json, ViewerModel.class);
+                ResourceModel model
+                    = objectMapper.readValue(json, ResourceModel.class);
                 return Optional.of(model);
             }
         } catch (InterruptedException e) {
@@ -347,58 +358,23 @@ protected Optional<ViewerModel> recreateState(Event<?> event,
     }
 
     @Override
-    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops", "unchecked" })
+    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops" })
     protected Set<RenderMode> doRenderConlet(RenderConletRequestBase<?> event,
-            ConsoleConnection channel, String conletId, ViewerModel model)
+            ConsoleConnection channel, String conletId, ResourceModel model)
             throws Exception {
-        ResourceBundle resourceBundle = resourceBundle(channel.locale());
-        Set<RenderMode> renderedAs = EnumSet.noneOf(RenderMode.class);
         if (event.renderAs().contains(RenderMode.Preview)) {
-            channel.associated(PENDING, Event.class)
-                .ifPresent(e -> {
-                    e.resumeHandling();
-                    channel.setAssociated(PENDING, null);
-                });
-
-            // Remove conlet if definition has been removed
-            if (model.vmName() != null
-                && !channelTracker.associated(model.vmName()).isPresent()) {
-                channel.respond(
-                    new DeleteConlet(conletId, Collections.emptySet()));
-                return Collections.emptySet();
-            }
-
-            // Don't render if user has not at least one permission
-            if (model.vmName() != null
-                && channelTracker.associated(model.vmName())
-                    .map(d -> permissions(d, channel.session()).isEmpty())
-                    .orElse(true)) {
-                return Collections.emptySet();
-            }
-
-            // Render
-            Template tpl
-                = freemarkerConfig().getTemplate("VmAccess-preview.ftl.html");
-            channel.respond(new RenderConlet(type(), conletId,
-                processTemplate(event, tpl,
-                    fmModel(event, channel, conletId, model)))
-                        .setRenderAs(
-                            RenderMode.Preview.addModifiers(event.renderAs()))
-                        .setSupportedModes(syncPreviews(channel.session())
-                            ? MODES_FOR_GENERATED
-                            : MODES));
-            renderedAs.add(RenderMode.Preview);
-            if (!Strings.isNullOrEmpty(model.vmName())) {
-                Optional.ofNullable(channel.session().get(RENDERED))
-                    .ifPresent(s -> ((Set<String>) s).add(model.vmName()));
-                updateConfig(channel, model);
-            }
+            return renderPreview(event, channel, conletId, model);
         }
+
+        // Render edit
+        ResourceBundle resourceBundle = resourceBundle(channel.locale());
+        Set<RenderMode> renderedAs = EnumSet.noneOf(RenderMode.class);
         if (event.renderAs().contains(RenderMode.Edit)) {
             Template tpl = freemarkerConfig()
                 .getTemplate("VmAccess-edit.ftl.html");
             var fmModel = fmModel(event, channel, conletId, model);
             fmModel.put("vmNames", accessibleVms(channel));
+            fmModel.put("poolNames", accessiblePools(channel));
             channel.respond(new OpenModalDialog(type(), conletId,
                 processTemplate(event, tpl, fmModel))
                     .addOption("cancelable", true)
@@ -408,13 +384,69 @@ protected Set<RenderMode> doRenderConlet(RenderConletRequestBase<?> event,
         return renderedAs;
     }
 
+    @SuppressWarnings("unchecked")
+    private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
+            ConsoleConnection channel, String conletId, ResourceModel model)
+            throws TemplateNotFoundException, MalformedTemplateNameException,
+            ParseException, IOException {
+        channel.associated(PENDING, Event.class)
+            .ifPresent(e -> {
+                e.resumeHandling();
+                channel.setAssociated(PENDING, null);
+            });
+
+        if (model.type() == ResourceModel.Type.VM && model.name() != null) {
+            // Remove conlet if VM definition has been removed
+            // or user has not at least one permission
+            Optional<VmDefinition> vmDef
+                = channelTracker.associated(model.name());
+            if (vmDef.isEmpty()
+                || vmPermissions(vmDef.get(), channel.session()).isEmpty()) {
+                channel.respond(
+                    new DeleteConlet(conletId, Collections.emptySet()));
+                return Collections.emptySet();
+            }
+        }
+
+        if (model.type() == ResourceModel.Type.POOL && model.name() != null) {
+            // Remove conlet if pool definition has been removed
+            // or user has not at least one permission
+            VmPool pool = vmPools.get(model.name());
+            if (pool == null
+                || poolPermissions(pool, channel.session()).isEmpty()) {
+                channel.respond(
+                    new DeleteConlet(conletId, Collections.emptySet()));
+                return Collections.emptySet();
+            }
+        }
+
+        // Render
+        Template tpl
+            = freemarkerConfig().getTemplate("VmAccess-preview.ftl.html");
+        channel.respond(new RenderConlet(type(), conletId,
+            processTemplate(event, tpl,
+                fmModel(event, channel, conletId, model)))
+                    .setRenderAs(
+                        RenderMode.Preview.addModifiers(event.renderAs()))
+                    .setSupportedModes(syncPreviews(channel.session())
+                        ? MODES_FOR_GENERATED
+                        : MODES));
+        if (!Strings.isNullOrEmpty(model.name())) {
+            Optional.ofNullable(channel.session().get(RENDERED))
+                .ifPresent(s -> ((Set<ResourceModel>) s).add(model));
+            updateConfig(channel, model);
+        }
+        return EnumSet.of(RenderMode.Preview);
+    }
+
     private List<String> accessibleVms(ConsoleConnection channel) {
         return channelTracker.associated().stream()
-            .filter(d -> !permissions(d, channel.session()).isEmpty())
+            .filter(d -> !vmPermissions(d, channel.session()).isEmpty())
             .map(d -> d.getMetadata().getName()).sorted().toList();
     }
 
-    private Set<Permission> permissions(VmDefinition vmDef, Session session) {
+    private Set<VmDefinition.Permission> vmPermissions(VmDefinition vmDef,
+            Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
@@ -422,17 +454,32 @@ private Set<Permission> permissions(VmDefinition vmDef, Session session) {
         return vmDef.permissionsFor(user, roles);
     }
 
-    private void updateConfig(ConsoleConnection channel, ViewerModel model) {
+    private List<String> accessiblePools(ConsoleConnection channel) {
+        return vmPools.values().stream()
+            .filter(d -> !poolPermissions(d, channel.session()).isEmpty())
+            .map(d -> d.name()).sorted().toList();
+    }
+
+    private Set<VmPool.Permission> poolPermissions(VmPool pool,
+            Session session) {
+        var user = WebConsoleUtils.userFromSession(session)
+            .map(ConsoleUser::getName).orElse(null);
+        var roles = WebConsoleUtils.rolesFromSession(session)
+            .stream().map(ConsoleRole::getName).toList();
+        return pool.permissionsFor(user, roles);
+    }
+
+    private void updateConfig(ConsoleConnection channel, ResourceModel model) {
         channel.respond(new NotifyConletView(type(),
-            model.getConletId(), "updateConfig", model.vmName()));
+            model.getConletId(), "updateConfig", model.type(), model.name()));
         updateVmDef(channel, model);
     }
 
-    private void updateVmDef(ConsoleConnection channel, ViewerModel model) {
-        if (Strings.isNullOrEmpty(model.vmName())) {
+    private void updateVmDef(ConsoleConnection channel, ResourceModel model) {
+        if (Strings.isNullOrEmpty(model.name())) {
             return;
         }
-        channelTracker.value(model.vmName()).ifPresent(item -> {
+        channelTracker.value(model.name()).ifPresent(item -> {
             try {
                 var vmDef = item.associated();
                 var data = Map.of("metadata",
@@ -441,8 +488,8 @@ private void updateVmDef(ConsoleConnection channel, ViewerModel model) {
                     "spec", vmDef.spec(),
                     "status", vmDef.getStatus(),
                     "userPermissions",
-                    permissions(vmDef, channel.session()).stream()
-                        .map(Permission::toString).toList());
+                    vmPermissions(vmDef, channel.session()).stream()
+                        .map(VmDefinition.Permission::toString).toList());
                 channel.respond(new NotifyConletView(type(),
                     model.getConletId(), "updateVmDefinition", data));
             } catch (JsonSyntaxException e) {
@@ -454,7 +501,8 @@ private void updateVmDef(ConsoleConnection channel, ViewerModel model) {
 
     @Override
     protected void doConletDeleted(ConletDeleted event,
-            ConsoleConnection channel, String conletId, ViewerModel conletState)
+            ConsoleConnection channel, String conletId,
+            ResourceModel conletState)
             throws Exception {
         if (event.renderModes().isEmpty()) {
             channel.respond(new KeyValueStoreUpdate().delete(
@@ -487,7 +535,7 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || !Objects.areEqual(model.get().vmName(), vmName)) {
+                    || !Objects.areEqual(model.get().name(), vmName)) {
                     continue;
                 }
                 if (event.type() == K8sObserver.ResponseType.DELETED) {
@@ -500,21 +548,36 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
         }
     }
 
+    /**
+     * On vm pool changed.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler(namedChannels = "manager")
+    public void onVmPoolChanged(VmPoolChanged event) {
+        if (event.deleted()) {
+            vmPools.remove(event.vmPool().name());
+            return;
+        }
+        vmPools.put(event.vmPool().name(), event.vmPool());
+    }
+
     @Override
     @SuppressWarnings({ "PMD.AvoidDecimalLiteralsInBigDecimalConstructor",
         "PMD.ConfusingArgumentToVarargsMethod", "PMD.NcssCount",
         "PMD.AvoidLiteralsInIfCondition" })
     protected void doUpdateConletState(NotifyConletModel event,
-            ConsoleConnection channel, ViewerModel model)
+            ConsoleConnection channel, ResourceModel model)
             throws Exception {
         event.stop();
-        if ("selectedVm".equals(event.method())) {
-            selectVm(event, channel, model);
+        if ("selectedResource".equals(event.method())) {
+            selectResource(event, channel, model);
             return;
         }
 
         // Handle command for selected VM
-        var both = Optional.ofNullable(model.vmName())
+        var both = Optional.ofNullable(model.name())
             .flatMap(vm -> channelTracker.value(vm));
         if (both.isEmpty()) {
             return;
@@ -522,31 +585,31 @@ protected void doUpdateConletState(NotifyConletModel event,
         var vmChannel = both.get().channel();
         var vmDef = both.get().associated();
         var vmName = vmDef.metadata().getName();
-        var perms = permissions(vmDef, channel.session());
+        var perms = vmPermissions(vmDef, channel.session());
         var resourceBundle = resourceBundle(channel.locale());
         switch (event.method()) {
         case "start":
-            if (perms.contains(Permission.START)) {
+            if (perms.contains(VmDefinition.Permission.START)) {
                 fire(new ModifyVm(vmName, "state", "Running", vmChannel));
             }
             break;
         case "stop":
-            if (perms.contains(Permission.STOP)) {
+            if (perms.contains(VmDefinition.Permission.STOP)) {
                 fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
             }
             break;
         case "reset":
-            if (perms.contains(Permission.RESET)) {
+            if (perms.contains(VmDefinition.Permission.RESET)) {
                 confirmReset(event, channel, model, resourceBundle);
             }
             break;
         case "resetConfirmed":
-            if (perms.contains(Permission.RESET)) {
+            if (perms.contains(VmDefinition.Permission.RESET)) {
                 fire(new ResetVm(vmName), vmChannel);
             }
             break;
         case "openConsole":
-            if (perms.contains(Permission.ACCESS_CONSOLE)) {
+            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
                 var user = WebConsoleUtils.userFromSession(channel.session())
                     .map(ConsoleUser::getName).orElse("");
                 var pwQuery
@@ -561,17 +624,26 @@ protected void doUpdateConletState(NotifyConletModel event,
         }
     }
 
-    private void selectVm(NotifyConletModel event, ConsoleConnection channel,
-            ViewerModel model) throws JsonProcessingException {
-        model.setVmName(event.param(0));
-        String jsonState = objectMapper.writeValueAsString(model);
-        channel.respond(new KeyValueStoreUpdate().update(storagePath(
-            channel.session(), model.getConletId()), jsonState));
-        updateConfig(channel, model);
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
+        "PMD.UseLocaleWithCaseConversions" })
+    private void selectResource(NotifyConletModel event,
+            ConsoleConnection channel, ResourceModel model)
+            throws JsonProcessingException {
+        try {
+            model.setType(ResourceModel.Type
+                .valueOf(event.<String> param(0).toUpperCase()));
+            model.setName(event.param(1));
+            String jsonState = objectMapper.writeValueAsString(model);
+            channel.respond(new KeyValueStoreUpdate().update(storagePath(
+                channel.session(), model.getConletId()), jsonState));
+            updateConfig(channel, model);
+        } catch (IllegalArgumentException e) {
+            logger.warning(() -> "Invalid resource type: " + e.getMessage());
+        }
     }
 
     private void openConsole(String vmName, ConsoleConnection connection,
-            ViewerModel model, String password) {
+            ResourceModel model, String password) {
         var vmDef = channelTracker.associated(vmName).orElse(null);
         if (vmDef == null) {
             return;
@@ -642,7 +714,7 @@ private Optional<InetAddress> displayIp(VmDefinition vmDef) {
     }
 
     private void confirmReset(NotifyConletModel event,
-            ConsoleConnection channel, ViewerModel model,
+            ConsoleConnection channel, ResourceModel model,
             ResourceBundle resourceBundle) throws TemplateNotFoundException,
             MalformedTemplateNameException, ParseException, IOException {
         Template tpl = freemarkerConfig()
@@ -662,58 +734,97 @@ protected boolean doSetLocale(SetLocale event, ConsoleConnection channel,
     }
 
     /**
-     * The Class VmsModel.
+     * The Class AccessModel.
      */
     @SuppressWarnings("PMD.DataClass")
-    public static class ViewerModel extends ConletBaseModel {
+    public static class ResourceModel extends ConletBaseModel {
 
-        private String vmName;
-        private boolean generated;
+        /**
+         * The Enum ResourceType.
+         */
+        @SuppressWarnings("PMD.ShortVariable")
+        public enum Type {
+            VM, POOL
+        }
+
+        private Type type;
+        private String name;
 
         /**
-         * Instantiates a new vms model.
+         * Instantiates a new resource model.
          *
          * @param conletId the conlet id
          */
-        public ViewerModel(@JsonProperty("conletId") String conletId) {
+        public ResourceModel(@JsonProperty("conletId") String conletId) {
             super(conletId);
         }
 
         /**
-         * Gets the vm name.
+         * Gets the resource name.
          *
-         * @return the vmName
+         * @return the string
          */
-        @JsonGetter("vmName")
-        public String vmName() {
-            return vmName;
+        @JsonGetter("name")
+        public String name() {
+            return name;
         }
 
         /**
-         * Sets the vm name.
+         * Sets the name.
          *
-         * @param vmName the vmName to set
+         * @param name the resource name to set
          */
-        public void setVmName(String vmName) {
-            this.vmName = vmName;
+        public void setName(String name) {
+            this.name = name;
         }
 
         /**
-         * Checks if is generated.
-         *
-         * @return the generated
+         * @return the resourceType
          */
-        public boolean isGenerated() {
-            return generated;
+        @JsonGetter("type")
+        public Type type() {
+            return type;
         }
 
         /**
-         * Sets the generated.
+         * Sets the type.
          *
-         * @param generated the generated to set
+         * @param type the resource type to set
          */
-        public void setGenerated(boolean generated) {
-            this.generated = generated;
+        public void setType(Type type) {
+            this.type = type;
+        }
+
+        @Override
+        public int hashCode() {
+            final int prime = 31;
+            int result = super.hashCode();
+            result = prime * result + java.util.Objects.hash(name, type);
+            return result;
+        }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (this == obj) {
+                return true;
+            }
+            if (!super.equals(obj)) {
+                return false;
+            }
+            if (getClass() != obj.getClass()) {
+                return false;
+            }
+            ResourceModel other = (ResourceModel) obj;
+            return java.util.Objects.equals(name, other.name)
+                && type == other.type;
+        }
+
+        @Override
+        public String toString() {
+            StringBuilder builder = new StringBuilder(50);
+            builder.append("AccessModel [resourceType=").append(type)
+                .append(", resourceName=").append(name).append(']');
+            return builder.toString();
         }
 
     }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index fb523537c..c5f3da023 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -44,6 +44,7 @@ interface Api {
     /* eslint-disable @typescript-eslint/no-explicit-any */
     vmName: string;
     vmDefinition: any;
+    poolName: string;
 }
 
 const localize = (key: string) => {
@@ -62,7 +63,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
 
             const previewApi: Api = reactive({
                 vmName: "",
-                vmDefinition: {}
+                vmDefinition: {},
+                poolName: ""
             });
             const configured = computed(() => previewApi.vmDefinition.spec);
             const startable = computed(() => previewApi.vmDefinition.spec &&
@@ -76,7 +78,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const permissions = computed(() => previewApi.vmDefinition.spec
                 ? previewApi.vmDefinition.userPermissions : []);
 
-            watch(() => previewApi.vmName, (name: string) => {
+            watch(previewApi, (api: Api) => {
+                const name = api.vmName || api.poolName;
                 if (name !== "") {
                     JGConsole.instance.updateConletTitle(conletId, name);
                 }
@@ -139,14 +142,21 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
 };
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
-    "updateConfig", function(conletId: string, vmName: string) {
+    "updateConfig",
+    function(conletId: string, type: string, resource: string) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
         }
         const api = getApi<Api>(conlet.element().querySelector(
             ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
-        api.vmName = vmName;
+        if (type === "VM") {
+            api.vmName = resource;
+            api.poolName = "";
+        } else {
+            api.poolName = resource;
+            api.vmName = "";
+        }
     });
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
@@ -203,19 +213,36 @@ window.orgJDrupesVmOperatorVmAccess.initEdit = (dialogDom: HTMLElement,
                     l10nBundles, JGWC.lang()!, key);
             };
 
+            const resource = ref<string>("vm");
             const vmNameInput = ref<string>("");
+            const poolNameInput = ref<string>("");
+            
+            watch(resource, (resource: string) => {
+                if (resource === "vm") {
+                    poolNameInput.value = "";
+                }
+                if (resource === "pool")
+                    vmNameInput.value = "";
+            });
+            
             const conletId = (<HTMLElement>dialogDom.closest(
                 "[data-conlet-id]")!).dataset["conletId"]!;
             const conlet = JGConsole.findConletPreview(conletId);
             if (conlet) {
                 const api = getApi<Api>(conlet.element().querySelector(
                     ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
+                if (api.poolName) {
+                    resource.value = "pool";
+                }
                 vmNameInput.value = api.vmName;
+                poolNameInput.value = api.poolName;
             }
 
-            provideApi(dialogDom, vmNameInput);
+            provideApi(dialogDom, { resource: () => resource.value,
+                name: () => resource.value === "vm"
+                    ? vmNameInput.value : poolNameInput.value });
                         
-            return { formId, localize, vmNameInput };
+            return { formId, localize, resource, vmNameInput, poolNameInput };
         }
     });
     app.use(JgwcPlugin);
@@ -229,8 +256,9 @@ window.orgJDrupesVmOperatorVmAccess.applyEdit =
     }
     const conletId = (<HTMLElement>dialogDom.closest("[data-conlet-id]")!)
         .dataset["conletId"]!;
-    const vmName = getApi<ref<string>>(dialogDom!)!.value;
-    JGConsole.notifyConletModel(conletId, "selectedVm", vmName);
+    const editApi = getApi<ref<string>>(dialogDom!)!;
+    JGConsole.notifyConletModel(conletId, "selectedResource", editApi.resource(),
+        editApi.name());
 }
 
 window.orgJDrupesVmOperatorVmAccess.confirmReset = 
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
index 547dc746c..cf0fb56a6 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
@@ -77,6 +77,11 @@
 }
 
 .jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-edit {
+  
+  fieldset ul li {
+    margin-top: 0.5em;
+  }
+  
   select {
     width: 15em;
   }

From 2dc93f1370debfa03f93db5be5be6e7201ac1280 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 14:21:25 +0100
Subject: [PATCH 03/35] Unify permission usage.

---
 .../vmoperator/common/VmDefinition.java       | 23 +++++-
 .../org/jdrupes/vmoperator/common/VmPool.java | 71 +------------------
 .../vmoperator/manager/PoolManager.java       |  3 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 44 +++++++++---
 4 files changed, 63 insertions(+), 78 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 71ea7f10a..bab0802b3 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -94,6 +94,28 @@ public String toString() {
         }
     }
 
+    /**
+     * Permissions granted to a user or role.
+     *
+     * @param user the user
+     * @param role the role
+     * @param may the may
+     */
+    public record Grant(String user, String role, Set<Permission> may) {
+
+        @Override
+        public String toString() {
+            StringBuilder builder = new StringBuilder();
+            if (user != null) {
+                builder.append("User ").append(user);
+            } else {
+                builder.append("Role ").append(role);
+            }
+            builder.append(" may=").append(may).append(']');
+            return builder.toString();
+        }
+    }
+
     /**
      * Gets the kind.
      *
@@ -292,7 +314,6 @@ public String namespace() {
      * @return the string
      */
     public RequestedVmState vmState() {
-        // TODO
         return fromVm("state")
             .map(s -> "Running".equals(s) ? RequestedVmState.RUNNING
                 : RequestedVmState.STOPPED)
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 4b29adc9d..07e06161b 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -20,14 +20,13 @@
 
 import java.util.Collection;
 import java.util.Collections;
-import java.util.EnumSet;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.common.VmDefinition.Grant;
+import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.util.DataPath;
 
 /**
@@ -60,7 +59,7 @@ public void setName(String name) {
     }
 
     /**
-     * All permissions.
+     * Permissions granted for a VM from the pool.
      *
      * @return the permissions
      */
@@ -120,68 +119,4 @@ public Set<Permission> permissionsFor(String user,
             .flatMap(Function.identity()).collect(Collectors.toSet());
     }
 
-    /**
-     * A permission grant to a user or role.
-     *
-     * @param user the user
-     * @param role the role
-     * @param may the may
-     */
-    public record Grant(String user, String role, Set<Permission> may) {
-
-        @Override
-        public String toString() {
-            StringBuilder builder = new StringBuilder();
-            if (user != null) {
-                builder.append("User ").append(user);
-            } else {
-                builder.append("Role ").append(role);
-            }
-            builder.append(" may=").append(may).append(']');
-            return builder.toString();
-        }
-    }
-
-    /**
-     * Permissions for accessing and manipulating the pool.
-     */
-    public enum Permission {
-        START("start"), STOP("stop"), RESET("reset"),
-        ACCESS_CONSOLE("accessConsole");
-
-        @SuppressWarnings("PMD.UseConcurrentHashMap")
-        private static Map<String, Permission> reprs = new HashMap<>();
-
-        static {
-            for (var value : EnumSet.allOf(Permission.class)) {
-                reprs.put(value.repr, value);
-            }
-        }
-
-        private final String repr;
-
-        Permission(String repr) {
-            this.repr = repr;
-        }
-
-        /**
-         * Create permission from representation in CRD.
-         *
-         * @param value the value
-         * @return the permission
-         */
-        @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-        public static Set<Permission> parse(String value) {
-            if ("*".equals(value)) {
-                return EnumSet.allOf(Permission.class);
-            }
-            return Set.of(reprs.get(value));
-        }
-
-        @Override
-        public String toString() {
-            return repr;
-        }
-    }
-
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
index fb1de2738..7bc455d7e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
@@ -142,9 +142,10 @@ protected void handleChange(K8sClient client,
         V1ObjectMeta metadata = response.object.getMetadata();
         vmPool.setName(metadata.getName());
 
-        // If modified, merge changes
+        // If modified, merge changes and notify
         if (type == ResponseType.MODIFIED && pools.containsKey(poolName)) {
             pools.get(poolName).setPermissions(vmPool.permissions());
+            poolPipeline.fire(new VmPoolChanged(vmPool));
             return;
         }
 
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index f671e93a7..4f4ef5312 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -50,6 +50,7 @@
 import org.bouncycastle.util.Objects;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
@@ -108,7 +109,8 @@
  *
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports",
-    "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods" })
+    "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods",
+    "PMD.CyclomaticComplexity" })
 public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
@@ -265,7 +267,8 @@ public void onConsoleConfigured(ConsoleConfigured event,
         addMissingVms(event, connection, rendered);
     }
 
-    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops",
+        "PMD.AvoidDuplicateLiterals" })
     private void addMissingVms(ConsoleConfigured event,
             ConsoleConnection connection, final Set<ResourceModel> rendered) {
         boolean foundMissing = false;
@@ -445,7 +448,7 @@ private List<String> accessibleVms(ConsoleConnection channel) {
             .map(d -> d.getMetadata().getName()).sorted().toList();
     }
 
-    private Set<VmDefinition.Permission> vmPermissions(VmDefinition vmDef,
+    private Set<Permission> vmPermissions(VmDefinition vmDef,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
@@ -460,7 +463,7 @@ private List<String> accessiblePools(ConsoleConnection channel) {
             .map(d -> d.name()).sorted().toList();
     }
 
-    private Set<VmPool.Permission> poolPermissions(VmPool pool,
+    private Set<Permission> poolPermissions(VmPool pool,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
@@ -530,15 +533,19 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
         } else {
             channelTracker.put(vmName, channel, vmDef);
         }
+
+        // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
             var connection = entry.getKey();
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
+                    || model.get().type() != ResourceModel.Type.VM
                     || !Objects.areEqual(model.get().name(), vmName)) {
                     continue;
                 }
-                if (event.type() == K8sObserver.ResponseType.DELETED) {
+                if (event.type() == K8sObserver.ResponseType.DELETED
+                    || vmPermissions(vmDef, connection.session()).isEmpty()) {
                     connection.respond(
                         new DeleteConlet(conletId, Collections.emptySet()));
                 } else {
@@ -555,12 +562,33 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
      * @param channel the channel
      */
     @Handler(namedChannels = "manager")
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onVmPoolChanged(VmPoolChanged event) {
+        var poolName = event.vmPool().name();
         if (event.deleted()) {
-            vmPools.remove(event.vmPool().name());
-            return;
+            vmPools.remove(poolName);
+        } else {
+            vmPools.put(poolName, event.vmPool());
+        }
+
+        // Update known conlets
+        for (var entry : conletIdsByConsoleConnection().entrySet()) {
+            var connection = entry.getKey();
+            for (var conletId : entry.getValue()) {
+                var model = stateFromSession(connection.session(), conletId);
+                if (model.isEmpty()
+                    || model.get().type() != ResourceModel.Type.POOL
+                    || !Objects.areEqual(model.get().name(), poolName)) {
+                    continue;
+                }
+                if (event.deleted()
+                    || poolPermissions(event.vmPool(), connection.session())
+                        .isEmpty()) {
+                    connection.respond(
+                        new DeleteConlet(conletId, Collections.emptySet()));
+                }
+            }
         }
-        vmPools.put(event.vmPool().name(), event.vmPool());
     }
 
     @Override

From c3428ea4a5912e2b5bba46880f9435caf97a1cef Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 14:22:18 +0100
Subject: [PATCH 04/35] Rename pool manager to monitor.

---
 .../src/org/jdrupes/vmoperator/manager/Controller.java        | 2 +-
 .../vmoperator/manager/{PoolManager.java => PoolMonitor.java} | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/{PoolManager.java => PoolMonitor.java} (98%)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index d847785a2..1ef17f7c4 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -106,7 +106,7 @@ public Controller(Channel componentChannel) {
         // to access the VM's console. Might change in the future.
         // attach(new ServiceMonitor(channel()).channelManager(chanMgr));
         attach(new Reconciler(channel()));
-        attach(new PoolManager(channel()));
+        attach(new PoolMonitor(channel()));
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
similarity index 98%
rename from org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
rename to org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 7bc455d7e..49c708dbc 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -53,7 +53,7 @@
  * avoid concurrent change informations.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
-public class PoolManager extends
+public class PoolMonitor extends
         AbstractMonitor<K8sDynamicModel, K8sDynamicModels, Channel> {
 
     private final ReentrantLock pendingLock = new ReentrantLock();
@@ -67,7 +67,7 @@ public class PoolManager extends
      * @param componentChannel the component channel
      * @param channelManager the channel manager
      */
-    public PoolManager(Channel componentChannel) {
+    public PoolMonitor(Channel componentChannel) {
         super(componentChannel, K8sDynamicModel.class,
             K8sDynamicModels.class);
     }

From 84ac4bb28c4ab8d82f23042bd029c02afd369b5d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 16:43:35 +0100
Subject: [PATCH 05/35] Add hashCode and equals.

---
 .../vmoperator/common/VmDefinition.java       | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index bab0802b3..754540566 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -25,6 +25,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
@@ -350,4 +351,27 @@ public Optional<Long> displayPasswordSerial() {
         return this.<Number> fromStatus("displayPasswordSerial")
             .map(Number::longValue);
     }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(metadata.getNamespace(), metadata.getName());
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        VmDefinition other = (VmDefinition) obj;
+        return Objects.equals(metadata.getNamespace(),
+            other.metadata.getNamespace())
+            && Objects.equals(metadata.getName(), other.metadata.getName());
+    }
+
 }

From db7fbe2b7c22d1c0ee285c1fbc30ea17a0ea828c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 2 Dec 2024 12:18:41 +0100
Subject: [PATCH 06/35] Cleanup CR deletion.

---
 .../jdrupes/vmoperator/manager/VmMonitor.java | 26 +++++++------------
 1 file changed, 10 insertions(+), 16 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index cc8ae7be0..315aee2f5 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -119,11 +119,6 @@ protected void handleChange(K8sClient client,
         V1ObjectMeta metadata = response.object.getMetadata();
         VmChannel channel = channelManager.channelGet(metadata.getName());
 
-        // Remove from channel manager if deleted
-        if (ResponseType.valueOf(response.type) == ResponseType.DELETED) {
-            channelManager.remove(metadata.getName());
-        }
-
         // Get full definition and associate with channel as backup
         var vmModel = response.object;
         if (vmModel.data() == null) {
@@ -151,17 +146,16 @@ protected void handleChange(K8sClient client,
 
         // Create and fire changed event. Remove channel from channel
         // manager on completion.
-        channel.pipeline()
-            .fire(Event.onCompletion(
-                new VmDefChanged(ResponseType.valueOf(response.type),
-                    channel.setGeneration(response.object.getMetadata()
-                        .getGeneration()),
-                    vmDef),
-                e -> {
-                    if (e.type() == ResponseType.DELETED) {
-                        channelManager.remove(e.vmDefinition().name());
-                    }
-                }), channel);
+        VmDefChanged chgEvt
+            = new VmDefChanged(ResponseType.valueOf(response.type),
+                channel.setGeneration(response.object.getMetadata()
+                    .getGeneration()),
+                vmDef);
+        if (ResponseType.valueOf(response.type) == ResponseType.DELETED) {
+            chgEvt = Event.onCompletion(chgEvt,
+                e -> channelManager.remove(e.vmDefinition().name()));
+        }
+        channel.pipeline().fire(chgEvt, channel);
     }
 
     private VmDefinitionModel getModel(K8sClient client,

From 15ac0721a6449ab6ac052e67ce8859a782de6c25 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 14 Jan 2025 10:22:56 +0100
Subject: [PATCH 07/35] Minor refactoring.

---
 .../jdrupes/vmoperator/common/VmDefinition.java   | 15 +++++++++++++++
 .../org/jdrupes/vmoperator/manager/VmMonitor.java | 15 +--------------
 .../src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java | 13 +++----------
 3 files changed, 19 insertions(+), 24 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 754540566..b807e8cee 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -268,6 +268,21 @@ public void setStatus(Map<String, Object> status) {
         this.status = status;
     }
 
+    /**
+     * Return a condition's status.
+     *
+     * @param name the condition's name
+     * @return the status, if the condition is defined
+     */
+    public Optional<Boolean> conditionStatus(String name) {
+        return this.<List<Map<String, Object>>> fromStatus("conditions")
+            .orElse(Collections.emptyList()).stream()
+            .filter(cond -> DataPath.get(cond, "type")
+                .map(name::equals).orElse(false))
+            .findFirst().map(cond -> DataPath.get(cond, "status")
+                .map("True"::equals).orElse(false));
+    }
+
     /**
      * Set extra data (locally used, unknown to kubernetes).
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 315aee2f5..6c769d270 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -24,9 +24,6 @@
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
@@ -49,7 +46,6 @@
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 
@@ -184,16 +180,7 @@ private void addDynamicData(K8sClient client, VmDefinition vmDef,
         // VM definition status changes before the pod terminates.
         // This results in pod information being shown for a stopped
         // VM which is irritating. So check condition first.
-        @SuppressWarnings("PMD.LambdaCanBeMethodReference")
-        var isRunning
-            = vmDef.<List<Map<String, Object>>> fromStatus("conditions")
-                .orElse(Collections.emptyList()).stream()
-                .filter(cond -> DataPath.get(cond, "type")
-                    .map(t -> "Running".equals(t)).orElse(false))
-                .findFirst().map(cond -> DataPath.get(cond, "status")
-                    .map(s -> "True".equals(s)).orElse(false))
-                .orElse(false);
-        if (!isRunning) {
+        if (!vmDef.conditionStatus("Running").orElse(false)) {
             return;
         }
         var podSearch = new ListOptions();
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 8395b4c54..dbe17ca48 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -29,9 +29,7 @@
 import java.math.BigInteger;
 import java.time.Duration;
 import java.time.Instant;
-import java.util.Collections;
 import java.util.EnumSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -328,14 +326,9 @@ private Summary evaluateSummary(boolean force) {
                 .add(vmDef.<String> fromStatus("ram")
                     .map(r -> Quantity.fromString(r).getNumber().toBigInteger())
                     .orElse(BigInteger.ZERO));
-            summary.runningVms
-                += vmDef.<List<Map<String, Object>>> fromStatus("conditions")
-                    .orElse(Collections.emptyList()).stream()
-                    .filter(cond -> DataPath.get(cond, "type")
-                        .map(t -> "Running".equals(t)).orElse(false)
-                        && DataPath.get(cond, "status")
-                            .map(s -> "True".equals(s)).orElse(false))
-                    .count();
+            if (vmDef.conditionStatus("Running").orElse(false)) {
+                summary.runningVms += 1;
+            }
         }
         cachedSummary = summary;
         return summary;

From 4943baf3e38bf9353ba75ef7e6cde6d878ad312c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 14 Jan 2025 10:23:32 +0100
Subject: [PATCH 08/35] Save assignment information.

---
 deploy/crds/vms-crd.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 5f67b4c05..1e79e27f5 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1486,6 +1486,27 @@ spec:
                     by the runner if password protection is not enabled.
                   type: integer
                   default: 0
+                assignment:
+                  description: >-
+                    The assignment of this VM to a a particular user.
+                  type: object
+                  properties:
+                    pool:
+                      description: >-
+                        The pool this VM is taken from.
+                      type: string
+                      default: ""
+                    user:
+                      description: >-
+                        The user this VM is assigned to.
+                      type: string
+                      default: ""
+                    lastUsed:
+                      description: >-
+                        The last time this VM was used by the user.
+                      type: string
+                      default: "1970-01-01T00:00:00Z"
+                  default: {}
                 conditions:
                   description: >-
                     List of component conditions observed

From bd5227fda3e3981f81bb3bddad3a942544888497 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 15 Jan 2025 21:58:08 +0100
Subject: [PATCH 09/35] Simplify pool management.

---
 .../org/jdrupes/vmoperator/common/VmPool.java | 28 ++++++
 .../vmoperator/manager/PoolMonitor.java       | 96 +++++--------------
 2 files changed, 53 insertions(+), 71 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 07e06161b..426a69cd8 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -36,10 +36,20 @@
 public class VmPool {
 
     private String name;
+    private boolean defined;
     private List<Grant> permissions = Collections.emptyList();
     private final Set<String> vms
         = Collections.synchronizedSet(new HashSet<>());
 
+    /**
+     * Instantiates a new vm pool.
+     *
+     * @param name the name
+     */
+    public VmPool(String name) {
+        this.name = name;
+    }
+
     /**
      * Returns the name.
      *
@@ -58,6 +68,24 @@ public void setName(String name) {
         this.name = name;
     }
 
+    /**
+     * Checks if is defined.
+     *
+     * @return the result
+     */
+    public boolean isDefined() {
+        return defined;
+    }
+
+    /**
+     * Sets if is.
+     *
+     * @param defined the defined to set
+     */
+    public void setDefined(boolean defined) {
+        this.defined = defined;
+    }
+
     /**
      * Permissions granted for a VM from the pool.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 49c708dbc..27dfb7d12 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -19,17 +19,13 @@
 package org.jdrupes.vmoperator.manager;
 
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
 import java.io.IOException;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.locks.ReentrantLock;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
@@ -56,8 +52,6 @@
 public class PoolMonitor extends
         AbstractMonitor<K8sDynamicModel, K8sDynamicModels, Channel> {
 
-    private final ReentrantLock pendingLock = new ReentrantLock();
-    private final Map<String, Set<String>> pending = new ConcurrentHashMap<>();
     private final Map<String, VmPool> pools = new ConcurrentHashMap<>();
     private EventPipeline poolPipeline;
 
@@ -107,18 +101,13 @@ protected void handleChange(K8sClient client,
 
         // When pool is deleted, save VMs in pending
         if (type == ResponseType.DELETED) {
-            try {
-                pendingLock.lock();
-                Optional.ofNullable(pools.get(poolName)).ifPresent(
-                    p -> {
-                        pending.computeIfAbsent(poolName, k -> Collections
-                            .synchronizedSet(new HashSet<>())).addAll(p.vms());
-                        pools.remove(poolName);
-                        poolPipeline.fire(new VmPoolChanged(p, true));
-                    });
-            } finally {
-                pendingLock.unlock();
-            }
+            Optional.ofNullable(pools.get(poolName)).ifPresent(pool -> {
+                pool.setDefined(false);
+                if (pool.vms().isEmpty()) {
+                    pools.remove(poolName);
+                }
+                poolPipeline.fire(new VmPoolChanged(pool, true));
+            });
             return;
         }
 
@@ -135,32 +124,13 @@ protected void handleChange(K8sClient client,
             }
         }
 
-        // Convert to VM pool
-        var vmPool = client().getJSON().getGson().fromJson(
-            GsonPtr.to(poolModel.data()).to("spec").get(),
-            VmPool.class);
-        V1ObjectMeta metadata = response.object.getMetadata();
-        vmPool.setName(metadata.getName());
-
-        // If modified, merge changes and notify
-        if (type == ResponseType.MODIFIED && pools.containsKey(poolName)) {
-            pools.get(poolName).setPermissions(vmPool.permissions());
-            poolPipeline.fire(new VmPoolChanged(vmPool));
-            return;
-        }
-
-        // Add new pool
-        try {
-            pendingLock.lock();
-            Optional.ofNullable(pending.get(poolName)).ifPresent(s -> {
-                vmPool.vms().addAll(s);
-            });
-            pending.remove(poolName);
-            pools.put(poolName, vmPool);
-            poolPipeline.fire(new VmPoolChanged(vmPool));
-        } finally {
-            pendingLock.unlock();
-        }
+        // Get pool and merge changes
+        var vmPool = pools.computeIfAbsent(poolName, k -> new VmPool(poolName));
+        var newData = client().getJSON().getGson().fromJson(
+            GsonPtr.to(poolModel.data()).to("spec").get(), VmPool.class);
+        vmPool.setPermissions(newData.permissions());
+        vmPool.setDefined(true);
+        poolPipeline.fire(new VmPoolChanged(vmPool));
     }
 
     /**
@@ -173,35 +143,19 @@ public void onVmDefChanged(VmDefChanged event) {
         String vmName = event.vmDefinition().name();
         switch (event.type()) {
         case ADDED:
-            try {
-                pendingLock.lock();
-                event.vmDefinition().<List<String>> fromSpec("pools")
-                    .orElse(Collections.emptyList()).stream().forEach(p -> {
-                        if (pools.containsKey(p)) {
-                            pools.get(p).vms().add(vmName);
-                        } else {
-                            pending.computeIfAbsent(p, k -> Collections
-                                .synchronizedSet(new HashSet<>())).add(vmName);
-                        }
-                        poolPipeline.fire(new VmPoolChanged(pools.get(p)));
-                    });
-            } finally {
-                pendingLock.unlock();
-            }
+            event.vmDefinition().<List<String>> fromSpec("pools")
+                .orElse(Collections.emptyList()).stream().forEach(p -> {
+                    pools.computeIfAbsent(p, k -> new VmPool(p))
+                        .vms().add(vmName);
+                    poolPipeline.fire(new VmPoolChanged(pools.get(p)));
+                });
             break;
         case DELETED:
-            try {
-                pendingLock.lock();
-                pools.values().stream().forEach(p -> {
-                    if (p.vms().remove(vmName)) {
-                        poolPipeline.fire(new VmPoolChanged(p));
-                    }
-                });
-                // Should not be necessary, but just in case
-                pending.values().stream().forEach(s -> s.remove(vmName));
-            } finally {
-                pendingLock.unlock();
-            }
+            pools.values().stream().forEach(p -> {
+                if (p.vms().remove(vmName)) {
+                    poolPipeline.fire(new VmPoolChanged(p));
+                }
+            });
             break;
         default:
             break;

From 5bd6700541c1a0722f313ff1a6320c61fc922636 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 15 Jan 2025 22:06:00 +0100
Subject: [PATCH 10/35] Name not needed.

---
 .../org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
index 1a10a7dd8..afbff3a99 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
@@ -10,7 +10,7 @@
         <ul>
           <li>
             <label>
-              <input v-model="resource" type="radio" name="resource" value="vm">
+              <input v-model="resource" type="radio" value="vm">
               <span>{{ localize("VM") }}</span>
               <select v-model="vmNameInput" :disabled="resource !== 'vm'">
               <#list vmNames as name>
@@ -21,7 +21,7 @@
           </li>
           <li>
             <label>
-              <input v-model="resource" type="radio" name="resource" value="pool">
+              <input v-model="resource" type="radio" value="pool">
               <span>{{ localize("Pool") }}</span>
               <select v-model="poolNameInput" :disabled="resource !== 'pool'">
               <#list poolNames as name>

From 76be59a5b3cdef6e01044614c627a74ac54df81f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 18 Jan 2025 17:02:30 +0100
Subject: [PATCH 11/35] Don't duplicate VM management.

---
 .../vmoperator/manager/events/GetPools.java   |  67 ++++++
 .../vmoperator/manager/events/GetVms.java     |  97 +++++++++
 .../vmoperator/manager/PoolMonitor.java       |  15 ++
 .../jdrupes/vmoperator/manager/VmMonitor.java |  20 ++
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 201 ++++++++++--------
 5 files changed, 315 insertions(+), 85 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java

diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
new file mode 100644
index 000000000..12575995e
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
@@ -0,0 +1,67 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import org.jdrupes.vmoperator.common.VmPool;
+import org.jgrapes.core.Event;
+
+/**
+ * Gets the known pools' definitions.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class GetPools extends Event<List<VmPool>> {
+
+    private String user;
+    private List<String> roles = Collections.emptyList();
+
+    /**
+     * Return only {@link VmPool}s that are accessible by
+     * the given user or roles.
+     *
+     * @param user the user
+     * @param roles the roles
+     * @return the event 
+     */
+    public GetPools accessibleFor(String user, List<String> roles) {
+        this.user = user;
+        this.roles = roles;
+        return this;
+    }
+
+    /**
+     * Returns the user filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> forUser() {
+        return Optional.ofNullable(user);
+    }
+
+    /**
+     * Returns the roles criterion.
+     *
+     * @return the list
+     */
+    public List<String> forRoles() {
+        return roles;
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
new file mode 100644
index 000000000..ebb19cca7
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
@@ -0,0 +1,97 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jgrapes.core.Event;
+
+/**
+ * Gets the known VMs' definitions and channels.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class GetVms extends Event<List<GetVms.VmData>> {
+
+    private String name;
+    private String user;
+    private List<String> roles = Collections.emptyList();
+
+    /**
+     * Return only the VMs with the given name.
+     *
+     * @param name the name
+     * @return the returns the vms
+     */
+    public GetVms withName(String name) {
+        this.name = name;
+        return this;
+    }
+
+    /**
+     * Return only {@link VmDefinition}s that are accessible by
+     * the given user or roles.
+     *
+     * @param user the user
+     * @param roles the roles
+     * @return the event
+     */
+    public GetVms accessibleFor(String user, List<String> roles) {
+        this.user = user;
+        this.roles = roles;
+        return this;
+    }
+
+    /**
+     * Returns the name filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> name() {
+        return Optional.ofNullable(name);
+    }
+
+    /**
+     * Returns the user filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> user() {
+        return Optional.ofNullable(user);
+    }
+
+    /**
+     * Returns the roles criterion.
+     *
+     * @return the list
+     */
+    public List<String> roles() {
+        return roles;
+    }
+
+    /**
+     * Return tuple.
+     *
+     * @param definition the definition
+     * @param channel the channel
+     */
+    public record VmData(VmDefinition definition, VmChannel channel) {
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 27dfb7d12..1864ea7df 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -35,6 +35,7 @@
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
+import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
@@ -161,4 +162,18 @@ public void onVmDefChanged(VmDefChanged event) {
             break;
         }
     }
+
+    /**
+     * Return the requested pools.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onGetPools(GetPools event) {
+        event.setResult(pools.values().stream()
+            .filter(p -> event.forUser().isEmpty() && event.forRoles().isEmpty()
+                || !p.permissionsFor(event.forUser().orElse(null),
+                    event.forRoles()).isEmpty())
+            .toList());
+    }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 6c769d270..b5268a2c5 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -44,10 +44,13 @@
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
+import org.jdrupes.vmoperator.manager.events.GetVms;
+import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
+import org.jgrapes.core.annotation.Handler;
 
 /**
  * Watches for changes of VM definitions.
@@ -208,4 +211,21 @@ private void addDynamicData(K8sClient client, VmDefinition vmDef,
                 () -> "Cannot access node information: " + e.getMessage());
         }
     }
+
+    /**
+     * Returns the VM data.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onGetVms(GetVms event) {
+        event.setResult(channelManager.channels().stream()
+            .filter(c -> event.name().isEmpty()
+                || c.vmDefinition().name().equals(event.name().get()))
+            .filter(c -> event.user().isEmpty() && event.roles().isEmpty()
+                || !c.vmDefinition().permissionsFor(event.user().orElse(null),
+                    event.roles()).isEmpty())
+            .map(c -> new VmData(c.vmDefinition(), c))
+            .toList());
+    }
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 4f4ef5312..8d1a71adb 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -52,8 +52,10 @@
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
-import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
+import org.jdrupes.vmoperator.manager.events.GetPools;
+import org.jdrupes.vmoperator.manager.events.GetVms;
+import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
@@ -62,8 +64,10 @@
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
+import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.Manager;
 import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.core.events.Start;
 import org.jgrapes.http.Session;
 import org.jgrapes.util.events.ConfigurationUpdate;
 import org.jgrapes.util.events.KeyValueStoreQuery;
@@ -122,8 +126,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         RenderMode.Preview, RenderMode.Edit);
     private static final Set<RenderMode> MODES_FOR_GENERATED = RenderMode.asSet(
         RenderMode.Preview, RenderMode.StickyPreview);
-    private final ChannelTracker<String, VmChannel,
-            VmDefinition> channelTracker = new ChannelTracker<>();
+    private EventPipeline appPipeline;
     private static ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
     private Class<?> preferredIpVersion = Inet4Address.class;
@@ -150,6 +153,16 @@ public VmAccess(Channel componentChannel) {
         super(componentChannel);
     }
 
+    /**
+     * On start.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onStart(Start event) {
+        appPipeline = event.processedBy().get();
+    }
+
     /**
      * Configure the component. 
      * 
@@ -263,18 +276,24 @@ public void onConsoleConfigured(ConsoleConfigured event,
         if (!syncPreviews(connection.session())) {
             return;
         }
-
-        addMissingVms(event, connection, rendered);
+        addMissingConlets(event, connection, rendered);
     }
 
     @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops",
         "PMD.AvoidDuplicateLiterals" })
-    private void addMissingVms(ConsoleConfigured event,
-            ConsoleConnection connection, final Set<ResourceModel> rendered) {
+    private void addMissingConlets(ConsoleConfigured event,
+            ConsoleConnection connection, final Set<ResourceModel> rendered)
+            throws InterruptedException {
         boolean foundMissing = false;
-        for (var vmName : accessibleVms(connection)) {
+        var session = connection.session();
+        for (var vmName : appPipeline.fire(new GetVms().accessibleFor(
+            WebConsoleUtils.userFromSession(session)
+                .map(ConsoleUser::getName).orElse(null),
+            WebConsoleUtils.rolesFromSession(session).stream()
+                .map(ConsoleRole::getName).toList()))
+            .get().stream().map(d -> d.definition().name()).toList()) {
             if (rendered.stream()
-                .anyMatch(r -> r.type() == ResourceModel.Type.VM
+                .anyMatch(r -> r.mode() == ResourceModel.Mode.VM
                     && r.name().equals(vmName))) {
                 continue;
             }
@@ -318,7 +337,7 @@ private String storagePath(Session session, String conletId) {
     protected Optional<ResourceModel> createNewState(AddConletRequest event,
             ConsoleConnection connection, String conletId) throws Exception {
         var model = new ResourceModel(conletId);
-        model.setType(ResourceModel.Type.VM);
+        model.setMode(ResourceModel.Mode.VM);
         model
             .setName((String) event.properties().get(VM_NAME_PROPERTY));
         String jsonState = objectMapper.writeValueAsString(model);
@@ -373,11 +392,25 @@ protected Set<RenderMode> doRenderConlet(RenderConletRequestBase<?> event,
         ResourceBundle resourceBundle = resourceBundle(channel.locale());
         Set<RenderMode> renderedAs = EnumSet.noneOf(RenderMode.class);
         if (event.renderAs().contains(RenderMode.Edit)) {
-            Template tpl = freemarkerConfig()
-                .getTemplate("VmAccess-edit.ftl.html");
+            var session = channel.session();
+            var vmNames = appPipeline.fire(new GetVms().accessibleFor(
+                WebConsoleUtils.userFromSession(session)
+                    .map(ConsoleUser::getName).orElse(null),
+                WebConsoleUtils.rolesFromSession(session).stream()
+                    .map(ConsoleRole::getName).toList()))
+                .get().stream().map(d -> d.definition().name()).sorted()
+                .toList();
+            var poolNames = appPipeline.fire(new GetPools().accessibleFor(
+                WebConsoleUtils.userFromSession(session)
+                    .map(ConsoleUser::getName).orElse(null),
+                WebConsoleUtils.rolesFromSession(session).stream()
+                    .map(ConsoleRole::getName).toList()))
+                .get().stream().map(VmPool::name).sorted().toList();
+            Template tpl
+                = freemarkerConfig().getTemplate("VmAccess-edit.ftl.html");
             var fmModel = fmModel(event, channel, conletId, model);
-            fmModel.put("vmNames", accessibleVms(channel));
-            fmModel.put("poolNames", accessiblePools(channel));
+            fmModel.put("vmNames", vmNames);
+            fmModel.put("poolNames", poolNames);
             channel.respond(new OpenModalDialog(type(), conletId,
                 processTemplate(event, tpl, fmModel))
                     .addOption("cancelable", true)
@@ -391,27 +424,32 @@ protected Set<RenderMode> doRenderConlet(RenderConletRequestBase<?> event,
     private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
             ConsoleConnection channel, String conletId, ResourceModel model)
             throws TemplateNotFoundException, MalformedTemplateNameException,
-            ParseException, IOException {
+            ParseException, IOException, InterruptedException {
         channel.associated(PENDING, Event.class)
             .ifPresent(e -> {
                 e.resumeHandling();
                 channel.setAssociated(PENDING, null);
             });
 
-        if (model.type() == ResourceModel.Type.VM && model.name() != null) {
+        var session = channel.session();
+        if (model.mode() == ResourceModel.Mode.VM && model.name() != null) {
             // Remove conlet if VM definition has been removed
             // or user has not at least one permission
-            Optional<VmDefinition> vmDef
-                = channelTracker.associated(model.name());
-            if (vmDef.isEmpty()
-                || vmPermissions(vmDef.get(), channel.session()).isEmpty()) {
+            Optional<VmData> vmData = appPipeline.fire(new GetVms()
+                .withName(model.name()).accessibleFor(
+                    WebConsoleUtils.userFromSession(session)
+                        .map(ConsoleUser::getName).orElse(null),
+                    WebConsoleUtils.rolesFromSession(session).stream()
+                        .map(ConsoleRole::getName).toList()))
+                .get().stream().findFirst();
+            if (vmData.isEmpty()) {
                 channel.respond(
                     new DeleteConlet(conletId, Collections.emptySet()));
                 return Collections.emptySet();
             }
         }
 
-        if (model.type() == ResourceModel.Type.POOL && model.name() != null) {
+        if (model.mode() == ResourceModel.Mode.POOL && model.name() != null) {
             // Remove conlet if pool definition has been removed
             // or user has not at least one permission
             VmPool pool = vmPools.get(model.name());
@@ -442,12 +480,6 @@ private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
         return EnumSet.of(RenderMode.Preview);
     }
 
-    private List<String> accessibleVms(ConsoleConnection channel) {
-        return channelTracker.associated().stream()
-            .filter(d -> !vmPermissions(d, channel.session()).isEmpty())
-            .map(d -> d.getMetadata().getName()).sorted().toList();
-    }
-
     private Set<Permission> vmPermissions(VmDefinition vmDef,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
@@ -457,12 +489,6 @@ private Set<Permission> vmPermissions(VmDefinition vmDef,
         return vmDef.permissionsFor(user, roles);
     }
 
-    private List<String> accessiblePools(ConsoleConnection channel) {
-        return vmPools.values().stream()
-            .filter(d -> !poolPermissions(d, channel.session()).isEmpty())
-            .map(d -> d.name()).sorted().toList();
-    }
-
     private Set<Permission> poolPermissions(VmPool pool,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
@@ -472,34 +498,36 @@ private Set<Permission> poolPermissions(VmPool pool,
         return pool.permissionsFor(user, roles);
     }
 
-    private void updateConfig(ConsoleConnection channel, ResourceModel model) {
+    private void updateConfig(ConsoleConnection channel, ResourceModel model)
+            throws InterruptedException {
         channel.respond(new NotifyConletView(type(),
-            model.getConletId(), "updateConfig", model.type(), model.name()));
+            model.getConletId(), "updateConfig", model.mode(), model.name()));
         updateVmDef(channel, model);
     }
 
-    private void updateVmDef(ConsoleConnection channel, ResourceModel model) {
+    private void updateVmDef(ConsoleConnection channel, ResourceModel model)
+            throws InterruptedException {
         if (Strings.isNullOrEmpty(model.name())) {
             return;
         }
-        channelTracker.value(model.name()).ifPresent(item -> {
-            try {
-                var vmDef = item.associated();
-                var data = Map.of("metadata",
-                    Map.of("namespace", vmDef.namespace(),
-                        "name", vmDef.name()),
-                    "spec", vmDef.spec(),
-                    "status", vmDef.getStatus(),
-                    "userPermissions",
-                    vmPermissions(vmDef, channel.session()).stream()
-                        .map(VmDefinition.Permission::toString).toList());
-                channel.respond(new NotifyConletView(type(),
-                    model.getConletId(), "updateVmDefinition", data));
-            } catch (JsonSyntaxException e) {
-                logger.log(Level.SEVERE, e,
-                    () -> "Failed to serialize VM definition");
-            }
-        });
+        appPipeline.fire(new GetVms().withName(model.name())).get().stream()
+            .findFirst().map(d -> d.definition()).ifPresent(vmDef -> {
+                try {
+                    var data = Map.of("metadata",
+                        Map.of("namespace", vmDef.namespace(),
+                            "name", vmDef.name()),
+                        "spec", vmDef.spec(),
+                        "status", vmDef.getStatus(),
+                        "userPermissions",
+                        vmPermissions(vmDef, channel.session()).stream()
+                            .map(VmDefinition.Permission::toString).toList());
+                    channel.respond(new NotifyConletView(type(),
+                        model.getConletId(), "updateVmDefinition", data));
+                } catch (JsonSyntaxException e) {
+                    logger.log(Level.SEVERE, e,
+                        () -> "Failed to serialize VM definition");
+                }
+            });
     }
 
     @Override
@@ -519,20 +547,15 @@ protected void doConletDeleted(ConletDeleted event,
      * @param event the event
      * @param channel the channel
      * @throws IOException 
+     * @throws InterruptedException 
      */
     @Handler(namedChannels = "manager")
     @SuppressWarnings({ "PMD.ConfusingTernary", "PMD.CognitiveComplexity",
         "PMD.AvoidInstantiatingObjectsInLoops", "PMD.AvoidDuplicateLiterals",
         "PMD.ConfusingArgumentToVarargsMethod" })
     public void onVmDefChanged(VmDefChanged event, VmChannel channel)
-            throws IOException {
+            throws IOException, InterruptedException {
         var vmDef = event.vmDefinition();
-        var vmName = vmDef.name();
-        if (event.type() == K8sObserver.ResponseType.DELETED) {
-            channelTracker.remove(vmName);
-        } else {
-            channelTracker.put(vmName, channel, vmDef);
-        }
 
         // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
@@ -540,8 +563,8 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || model.get().type() != ResourceModel.Type.VM
-                    || !Objects.areEqual(model.get().name(), vmName)) {
+                    || model.get().mode() != ResourceModel.Mode.VM
+                    || !Objects.areEqual(model.get().name(), vmDef.name())) {
                     continue;
                 }
                 if (event.type() == K8sObserver.ResponseType.DELETED
@@ -577,7 +600,7 @@ public void onVmPoolChanged(VmPoolChanged event) {
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || model.get().type() != ResourceModel.Type.POOL
+                    || model.get().mode() != ResourceModel.Mode.POOL
                     || !Objects.areEqual(model.get().name(), poolName)) {
                     continue;
                 }
@@ -605,13 +628,13 @@ protected void doUpdateConletState(NotifyConletModel event,
         }
 
         // Handle command for selected VM
-        var both = Optional.ofNullable(model.name())
-            .flatMap(vm -> channelTracker.value(vm));
-        if (both.isEmpty()) {
+        var vmData = appPipeline.fire(new GetVms().withName(model.name())).get()
+            .stream().findFirst();
+        if (vmData.isEmpty()) {
             return;
         }
-        var vmChannel = both.get().channel();
-        var vmDef = both.get().associated();
+        var vmChannel = vmData.get().channel();
+        var vmDef = vmData.get().definition();
         var vmName = vmDef.metadata().getName();
         var perms = vmPermissions(vmDef, channel.session());
         var resourceBundle = resourceBundle(channel.locale());
@@ -656,9 +679,9 @@ protected void doUpdateConletState(NotifyConletModel event,
         "PMD.UseLocaleWithCaseConversions" })
     private void selectResource(NotifyConletModel event,
             ConsoleConnection channel, ResourceModel model)
-            throws JsonProcessingException {
+            throws JsonProcessingException, InterruptedException {
         try {
-            model.setType(ResourceModel.Type
+            model.setMode(ResourceModel.Mode
                 .valueOf(event.<String> param(0).toUpperCase()));
             model.setName(event.param(1));
             String jsonState = objectMapper.writeValueAsString(model);
@@ -672,7 +695,13 @@ private void selectResource(NotifyConletModel event,
 
     private void openConsole(String vmName, ConsoleConnection connection,
             ResourceModel model, String password) {
-        var vmDef = channelTracker.associated(vmName).orElse(null);
+        VmDefinition vmDef;
+        try {
+            vmDef = appPipeline.fire(new GetVms().withName(model.name())).get()
+                .stream().findFirst().map(VmData::definition).orElse(null);
+        } catch (InterruptedException e) {
+            return;
+        }
         if (vmDef == null) {
             return;
         }
@@ -771,11 +800,11 @@ public static class ResourceModel extends ConletBaseModel {
          * The Enum ResourceType.
          */
         @SuppressWarnings("PMD.ShortVariable")
-        public enum Type {
+        public enum Mode {
             VM, POOL
         }
 
-        private Type type;
+        private Mode mode;
         private String name;
 
         /**
@@ -807,27 +836,29 @@ public void setName(String name) {
         }
 
         /**
+         * Returns the mode.
+         *
          * @return the resourceType
          */
-        @JsonGetter("type")
-        public Type type() {
-            return type;
+        @JsonGetter("mode")
+        public Mode mode() {
+            return mode;
         }
 
         /**
-         * Sets the type.
+         * Sets the mode.
          *
-         * @param type the resource type to set
+         * @param mode the resource mode to set
          */
-        public void setType(Type type) {
-            this.type = type;
+        public void setMode(Mode mode) {
+            this.mode = mode;
         }
 
         @Override
         public int hashCode() {
             final int prime = 31;
             int result = super.hashCode();
-            result = prime * result + java.util.Objects.hash(name, type);
+            result = prime * result + java.util.Objects.hash(name, mode);
             return result;
         }
 
@@ -844,14 +875,14 @@ public boolean equals(Object obj) {
             }
             ResourceModel other = (ResourceModel) obj;
             return java.util.Objects.equals(name, other.name)
-                && type == other.type;
+                && mode == other.mode;
         }
 
         @Override
         public String toString() {
             StringBuilder builder = new StringBuilder(50);
-            builder.append("AccessModel [resourceType=").append(type)
-                .append(", resourceName=").append(name).append(']');
+            builder.append("AccessModel [mode=").append(mode)
+                .append(", name=").append(name).append(']');
             return builder.toString();
         }
 

From 9b47ad31367ae8b1d46ef8c14aa260242fcf8fd3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 18 Jan 2025 17:16:54 +0100
Subject: [PATCH 12/35] Don't duplicate pool management.

---
 .../vmoperator/manager/events/GetPools.java   | 21 +++++++++++++++++++
 .../vmoperator/manager/PoolMonitor.java       |  2 ++
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 13 +++---------
 3 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
index 12575995e..40fa6ad5c 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
@@ -30,9 +30,21 @@
 @SuppressWarnings("PMD.DataClass")
 public class GetPools extends Event<List<VmPool>> {
 
+    private String name;
     private String user;
     private List<String> roles = Collections.emptyList();
 
+    /**
+     * Return only the pool with the given name.
+     *
+     * @param name the name
+     * @return the returns the vms
+     */
+    public GetPools withName(String name) {
+        this.name = name;
+        return this;
+    }
+
     /**
      * Return only {@link VmPool}s that are accessible by
      * the given user or roles.
@@ -47,6 +59,15 @@ public GetPools accessibleFor(String user, List<String> roles) {
         return this;
     }
 
+    /**
+     * Returns the name filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> name() {
+        return Optional.ofNullable(name);
+    }
+
     /**
      * Returns the user filter criterion, if set.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 1864ea7df..00033ba14 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -171,6 +171,8 @@ public void onVmDefChanged(VmDefChanged event) {
     @Handler
     public void onGetPools(GetPools event) {
         event.setResult(pools.values().stream()
+            .filter(p -> event.name().isEmpty()
+                || p.name().equals(event.name().get()))
             .filter(p -> event.forUser().isEmpty() && event.forRoles().isEmpty()
                 || !p.permissionsFor(event.forUser().orElse(null),
                     event.forRoles()).isEmpty())
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 8d1a71adb..c48488af7 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -38,7 +38,6 @@
 import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -133,8 +132,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     private Set<String> syncUsers = Collections.emptySet();
     private Set<String> syncRoles = Collections.emptySet();
     private boolean deleteConnectionFile = true;
-    @SuppressWarnings("PMD.UseConcurrentHashMap")
-    private final Map<String, VmPool> vmPools = new HashMap<>();
 
     /**
      * The periodically generated update event.
@@ -452,7 +449,9 @@ private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
         if (model.mode() == ResourceModel.Mode.POOL && model.name() != null) {
             // Remove conlet if pool definition has been removed
             // or user has not at least one permission
-            VmPool pool = vmPools.get(model.name());
+            VmPool pool = appPipeline
+                .fire(new GetPools().withName(model.name())).get()
+                .stream().findFirst().orElse(null);
             if (pool == null
                 || poolPermissions(pool, channel.session()).isEmpty()) {
                 channel.respond(
@@ -588,12 +587,6 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
     @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onVmPoolChanged(VmPoolChanged event) {
         var poolName = event.vmPool().name();
-        if (event.deleted()) {
-            vmPools.remove(poolName);
-        } else {
-            vmPools.put(poolName, event.vmPool());
-        }
-
         // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
             var connection = entry.getKey();

From d060a9334a21460f071411d9adf86091ba11f386 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 18 Jan 2025 17:50:33 +0100
Subject: [PATCH 13/35] Return only defined pools.

---
 .../src/org/jdrupes/vmoperator/manager/PoolMonitor.java         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 00033ba14..e11f667b5 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -170,7 +170,7 @@ public void onVmDefChanged(VmDefChanged event) {
      */
     @Handler
     public void onGetPools(GetPools event) {
-        event.setResult(pools.values().stream()
+        event.setResult(pools.values().stream().filter(VmPool::isDefined)
             .filter(p -> event.name().isEmpty()
                 || p.name().equals(event.name().get()))
             .filter(p -> event.forUser().isEmpty() && event.forRoles().isEmpty()

From 6d5ba8829c71697411710d1499f92a365882eed9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 13:41:53 +0100
Subject: [PATCH 14/35] Basically working.

---
 deploy/crds/vmpools-crd.yaml                  |   2 +-
 deploy/crds/vms-crd.yaml                      |   5 +-
 dev-example/test-pool.yaml                    |   5 +
 dev-example/test-vm.tpl.yaml                  |   3 -
 dev-example/test-vm.yaml                      |   3 -
 .../vmoperator/common/VmDefinition.java       |  52 ++-
 .../vmoperator/manager/events/AssignVm.java   |  61 ++++
 .../vmoperator/manager/events/GetVms.java     |  42 +++
 .../jdrupes/vmoperator/manager/VmMonitor.java |  60 +++-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 328 ++++++++++++------
 .../vmaccess/browser/VmAccess-functions.ts    |  71 ++--
 .../vmaccess/browser/VmAccess-style.scss      |   5 +
 12 files changed, 491 insertions(+), 146 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java

diff --git a/deploy/crds/vmpools-crd.yaml b/deploy/crds/vmpools-crd.yaml
index 5f8414f51..193d5478f 100644
--- a/deploy/crds/vmpools-crd.yaml
+++ b/deploy/crds/vmpools-crd.yaml
@@ -44,7 +44,7 @@ spec:
                           - reset
                           - accessConsole
                           - "*"
-                        default: []
+                        default: ["accessConsole"]
               required:
               - permissions
   # either Namespaced or Cluster
diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 1e79e27f5..9d7bbb859 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1022,7 +1022,7 @@ spec:
                 pools:
                   type: array
                   description: >-
-                    List of pools to which this VM belongs.
+                    List of pools this VM belongs to.
                   items:
                     type: string
                   default: []
@@ -1495,17 +1495,14 @@ spec:
                       description: >-
                         The pool this VM is taken from.
                       type: string
-                      default: ""
                     user:
                       description: >-
                         The user this VM is assigned to.
                       type: string
-                      default: ""
                     lastUsed:
                       description: >-
                         The last time this VM was used by the user.
                       type: string
-                      default: "1970-01-01T00:00:00Z"
                   default: {}
                 conditions:
                   description: >-
diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 73bd6ab50..2ff8d061e 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -8,3 +8,8 @@ spec:
   - user: admin
     may:
     - accessConsole
+  - user: test
+    may:
+    - accessConsole
+    - start
+    - stop
diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 1ce8d9588..50031bbfa 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -21,9 +21,6 @@ spec:
   - role: admin
     may: 
     - "*"
-  - user: test
-    may:
-    - accessConsole
 
   guestShutdownStops: true
 
diff --git a/dev-example/test-vm.yaml b/dev-example/test-vm.yaml
index 6f71b6a43..7ee2793ba 100644
--- a/dev-example/test-vm.yaml
+++ b/dev-example/test-vm.yaml
@@ -14,9 +14,6 @@ spec:
   - user: admin
     may: 
     - "*"
-  - user: test
-    may:
-    - "accessConsole"
 
   resources:
     requests:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index b807e8cee..375612bbe 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -89,6 +89,11 @@ public static Set<Permission> parse(String value) {
             return Set.of(reprs.get(value));
         }
 
+        /**
+         * To string.
+         *
+         * @return the string
+         */
         @Override
         public String toString() {
             return repr;
@@ -104,6 +109,11 @@ public String toString() {
      */
     public record Grant(String user, String role, Set<Permission> may) {
 
+        /**
+         * To string.
+         *
+         * @return the string
+         */
         @Override
         public String toString() {
             StringBuilder builder = new StringBuilder();
@@ -180,6 +190,16 @@ public void setMetadata(V1ObjectMeta metadata) {
         this.metadata = metadata;
     }
 
+    /**
+     * The pools that this VM belongs to.
+     *
+     * @return the list
+     */
+    public List<String> pools() {
+        return this.<List<String>> fromSpec("pools")
+            .orElse(Collections.emptyList());
+    }
+
     /**
      * Gets the spec.
      *
@@ -268,6 +288,24 @@ public void setStatus(Map<String, Object> status) {
         this.status = status;
     }
 
+    /**
+     * The pool that the VM was taken from.
+     *
+     * @return the optional
+     */
+    public Optional<String> assignedFrom() {
+        return fromStatus("assignment", "pool");
+    }
+
+    /**
+     * The user that the VM was assigned to.
+     *
+     * @return the optional
+     */
+    public Optional<String> assignedTo() {
+        return fromStatus("assignment", "user");
+    }
+
     /**
      * Return a condition's status.
      *
@@ -298,6 +336,7 @@ public VmDefinition extra(String property, Object value) {
     /**
      * Return extra data.
      *
+     * @param <T> the generic type
      * @param property the property
      * @return the object
      */
@@ -325,7 +364,7 @@ public String namespace() {
     }
 
     /**
-     * Return the requested VM state
+     * Return the requested VM state.
      *
      * @return the string
      */
@@ -367,11 +406,22 @@ public Optional<Long> displayPasswordSerial() {
             .map(Number::longValue);
     }
 
+    /**
+     * Hash code.
+     *
+     * @return the int
+     */
     @Override
     public int hashCode() {
         return Objects.hash(metadata.getNamespace(), metadata.getName());
     }
 
+    /**
+     * Equals.
+     *
+     * @param obj the obj
+     * @return true, if successful
+     */
     @Override
     public boolean equals(Object obj) {
         if (this == obj) {
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java
new file mode 100644
index 000000000..21e60313c
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java
@@ -0,0 +1,61 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
+import org.jgrapes.core.Event;
+
+/**
+ * Assign a VM from a pool to a user.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class AssignVm extends Event<VmData> {
+
+    private final String fromPool;
+    private final String toUser;
+
+    /**
+     * Instantiates a new event.
+     *
+     * @param fromPool the from pool
+     * @param toUser the to user
+     */
+    public AssignVm(String fromPool, String toUser) {
+        this.fromPool = fromPool;
+        this.toUser = toUser;
+    }
+
+    /**
+     * Gets the pool to assign from.
+     *
+     * @return the pool
+     */
+    public String fromPool() {
+        return fromPool;
+    }
+
+    /**
+     * Gets the user to assign to.
+     *
+     * @return the to user
+     */
+    public String toUser() {
+        return toUser;
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
index ebb19cca7..8b00698be 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
@@ -33,6 +33,8 @@ public class GetVms extends Event<List<GetVms.VmData>> {
     private String name;
     private String user;
     private List<String> roles = Collections.emptyList();
+    private String fromPool;
+    private String toUser;
 
     /**
      * Return only the VMs with the given name.
@@ -59,6 +61,28 @@ public GetVms accessibleFor(String user, List<String> roles) {
         return this;
     }
 
+    /**
+     * Return only {@link VmDefinition}s that are assigned from the given pool.
+     *
+     * @param pool the pool
+     * @return the returns the vms
+     */
+    public GetVms assignedFrom(String pool) {
+        this.fromPool = pool;
+        return this;
+    }
+
+    /**
+     * Return only {@link VmDefinition}s that are assigned to the given user.
+     *
+     * @param user the user
+     * @return the returns the vms
+     */
+    public GetVms assignedTo(String user) {
+        this.toUser = user;
+        return this;
+    }
+
     /**
      * Returns the name filter criterion, if set.
      *
@@ -86,6 +110,24 @@ public List<String> roles() {
         return roles;
     }
 
+    /**
+     * Returns the pool filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> fromPool() {
+        return Optional.ofNullable(fromPool);
+    }
+
+    /**
+     * Returns the user filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> toUser() {
+        return Optional.ofNullable(toUser);
+    }
+
     /**
      * Return tuple.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index b5268a2c5..b8ba46792 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -18,6 +18,8 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
@@ -29,6 +31,7 @@
 import java.util.logging.Level;
 import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -41,13 +44,15 @@
 import org.jdrupes.vmoperator.common.VmDefinitionModels;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
+import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
+import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 import org.jgrapes.core.annotation.Handler;
@@ -225,7 +230,60 @@ public void onGetVms(GetVms event) {
             .filter(c -> event.user().isEmpty() && event.roles().isEmpty()
                 || !c.vmDefinition().permissionsFor(event.user().orElse(null),
                     event.roles()).isEmpty())
+            .filter(c -> event.fromPool().isEmpty()
+                || c.vmDefinition().assignedFrom()
+                    .map(p -> p.equals(event.fromPool().get())).orElse(false))
+            .filter(c -> event.toUser().isEmpty()
+                || c.vmDefinition().assignedTo()
+                    .map(u -> u.equals(event.toUser().get())).orElse(false))
             .map(c -> new VmData(c.vmDefinition(), c))
             .toList());
     }
+
+    /**
+     * Assign a VM if not already assigned.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onAssignVm(AssignVm event) throws ApiException {
+        // Search for existing assignment.
+        var assignedVm = channelManager.channels().stream()
+            .filter(c -> c.vmDefinition().assignedFrom()
+                .map(p -> p.equals(event.fromPool())).orElse(false))
+            .filter(c -> c.vmDefinition().assignedTo()
+                .map(u -> u.equals(event.toUser())).orElse(false))
+            .findFirst();
+        if (assignedVm.isPresent()) {
+            event.setResult(new VmData(assignedVm.get().vmDefinition(),
+                assignedVm.get()));
+            return;
+        }
+
+        // Find available VM.
+        assignedVm = channelManager.channels().stream()
+            .filter(c -> c.vmDefinition().pools().contains(event.fromPool()))
+            .filter(c -> c.vmDefinition().assignedTo().isEmpty())
+            .findFirst();
+        if (assignedVm.isPresent()) {
+            var vmDef = assignedVm.get().vmDefinition();
+            var vmStub = VmDefinitionStub.get(client(),
+                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                vmDef.namespace(), vmDef.name());
+            vmStub.updateStatus(from -> {
+                JsonObject status = from.status();
+                var assignment = GsonPtr.to(status).to("assignment");
+                assignment.set("pool", event.fromPool());
+                assignment.set("user", event.toUser());
+                return status;
+            });
+
+            // Always start a newly assigned VM.
+            fire(new ModifyVm(vmDef.name(), "state", "Running",
+                assignedVm.get()));
+            event.setResult(new VmData(vmDef, assignedVm.get()));
+        }
+    }
+
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index c48488af7..d38d379ba 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023,2024 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -51,6 +51,7 @@
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
+import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
@@ -117,6 +118,7 @@
 public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
+    private static final String POOL_NAME_PROPERTY = "poolName";
     private static final String RENDERED
         = VmAccess.class.getName() + ".rendered";
     private static final String PENDING
@@ -281,33 +283,56 @@ public void onConsoleConfigured(ConsoleConfigured event,
     private void addMissingConlets(ConsoleConfigured event,
             ConsoleConnection connection, final Set<ResourceModel> rendered)
             throws InterruptedException {
-        boolean foundMissing = false;
         var session = connection.session();
-        for (var vmName : appPipeline.fire(new GetVms().accessibleFor(
+
+        // Evaluate missing VMs
+        var missingVms = appPipeline.fire(new GetVms().accessibleFor(
             WebConsoleUtils.userFromSession(session)
                 .map(ConsoleUser::getName).orElse(null),
             WebConsoleUtils.rolesFromSession(session).stream()
                 .map(ConsoleRole::getName).toList()))
-            .get().stream().map(d -> d.definition().name()).toList()) {
-            if (rendered.stream()
-                .anyMatch(r -> r.mode() == ResourceModel.Mode.VM
-                    && r.name().equals(vmName))) {
-                continue;
-            }
-            if (!foundMissing) {
-                // Suspending to allow rendering of conlets to be noticed
-                var failSafe = Components.schedule(t -> event.resumeHandling(),
-                    Duration.ofSeconds(1));
-                event.suspendHandling(failSafe::cancel);
-                connection.setAssociated(PENDING, event);
-                foundMissing = true;
-            }
+            .get().stream().map(d -> d.definition().name())
+            .collect(Collectors.toCollection(HashSet::new));
+        missingVms.removeAll(rendered.stream()
+            .filter(r -> r.mode() == ResourceModel.Mode.VM)
+            .map(ResourceModel::name).toList());
+
+        // Evaluate missing pools
+        var missingPools = appPipeline.fire(new GetPools().accessibleFor(
+            WebConsoleUtils.userFromSession(session)
+                .map(ConsoleUser::getName).orElse(null),
+            WebConsoleUtils.rolesFromSession(session).stream()
+                .map(ConsoleRole::getName).toList()))
+            .get().stream().map(VmPool::name)
+            .collect(Collectors.toCollection(HashSet::new));
+        missingPools.removeAll(rendered.stream()
+            .filter(r -> r.mode() == ResourceModel.Mode.POOL)
+            .map(ResourceModel::name).toList());
+
+        // Nothing to do
+        if (missingVms.isEmpty() && missingPools.isEmpty()) {
+            return;
+        }
+
+        // Suspending to allow rendering of conlets to be noticed
+        var failSafe = Components.schedule(t -> event.resumeHandling(),
+            Duration.ofSeconds(1));
+        event.suspendHandling(failSafe::cancel);
+        connection.setAssociated(PENDING, event);
+
+        // Create conlets for VMs and pools that haven't been rendered
+        for (var vmName : missingVms) {
             fire(new AddConletRequest(event.event().event().renderSupport(),
-                VmAccess.class.getName(),
-                RenderMode.asSet(RenderMode.Preview))
+                VmAccess.class.getName(), RenderMode.asSet(RenderMode.Preview))
                     .addProperty(VM_NAME_PROPERTY, vmName),
                 connection);
         }
+        for (var poolName : missingPools) {
+            fire(new AddConletRequest(event.event().event().renderSupport(),
+                VmAccess.class.getName(), RenderMode.asSet(RenderMode.Preview))
+                    .addProperty(POOL_NAME_PROPERTY, poolName),
+                connection);
+        }
     }
 
     /**
@@ -334,9 +359,14 @@ private String storagePath(Session session, String conletId) {
     protected Optional<ResourceModel> createNewState(AddConletRequest event,
             ConsoleConnection connection, String conletId) throws Exception {
         var model = new ResourceModel(conletId);
-        model.setMode(ResourceModel.Mode.VM);
-        model
-            .setName((String) event.properties().get(VM_NAME_PROPERTY));
+        var poolName = (String) event.properties().get(POOL_NAME_PROPERTY);
+        if (poolName != null) {
+            model.setMode(ResourceModel.Mode.POOL);
+            model.setName(poolName);
+        } else {
+            model.setMode(ResourceModel.Mode.VM);
+            model.setName((String) event.properties().get(VM_NAME_PROPERTY));
+        }
         String jsonState = objectMapper.writeValueAsString(model);
         connection.respond(new KeyValueStoreUpdate().update(
             storagePath(connection.session(), model.getConletId()), jsonState));
@@ -428,18 +458,13 @@ private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
                 channel.setAssociated(PENDING, null);
             });
 
-        var session = channel.session();
+        VmDefinition vmDef = null;
         if (model.mode() == ResourceModel.Mode.VM && model.name() != null) {
             // Remove conlet if VM definition has been removed
             // or user has not at least one permission
-            Optional<VmData> vmData = appPipeline.fire(new GetVms()
-                .withName(model.name()).accessibleFor(
-                    WebConsoleUtils.userFromSession(session)
-                        .map(ConsoleUser::getName).orElse(null),
-                    WebConsoleUtils.rolesFromSession(session).stream()
-                        .map(ConsoleRole::getName).toList()))
-                .get().stream().findFirst();
-            if (vmData.isEmpty()) {
+            vmDef = getVmData(model, channel).map(VmData::definition)
+                .orElse(null);
+            if (vmDef == null) {
                 channel.respond(
                     new DeleteConlet(conletId, Collections.emptySet()));
                 return Collections.emptySet();
@@ -453,11 +478,13 @@ private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
                 .fire(new GetPools().withName(model.name())).get()
                 .stream().findFirst().orElse(null);
             if (pool == null
-                || poolPermissions(pool, channel.session()).isEmpty()) {
+                || permissions(pool, channel.session()).isEmpty()) {
                 channel.respond(
                     new DeleteConlet(conletId, Collections.emptySet()));
                 return Collections.emptySet();
             }
+            vmDef = getVmData(model, channel).map(VmData::definition)
+                .orElse(null);
         }
 
         // Render
@@ -474,13 +501,32 @@ private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
         if (!Strings.isNullOrEmpty(model.name())) {
             Optional.ofNullable(channel.session().get(RENDERED))
                 .ifPresent(s -> ((Set<ResourceModel>) s).add(model));
-            updateConfig(channel, model);
+            updatePreview(channel, model, vmDef);
         }
         return EnumSet.of(RenderMode.Preview);
     }
 
-    private Set<Permission> vmPermissions(VmDefinition vmDef,
-            Session session) {
+    private Optional<VmData> getVmData(ResourceModel model,
+            ConsoleConnection channel) throws InterruptedException {
+        if (model.mode() == ResourceModel.Mode.VM) {
+            // Get the VM data by name.
+            var session = channel.session();
+            return appPipeline.fire(new GetVms().withName(model.name())
+                .accessibleFor(WebConsoleUtils.userFromSession(session)
+                    .map(ConsoleUser::getName).orElse(null),
+                    WebConsoleUtils.rolesFromSession(session).stream()
+                        .map(ConsoleRole::getName).toList()))
+                .get().stream().findFirst();
+        }
+
+        // Look for an (already) assigned VM
+        var user = WebConsoleUtils.userFromSession(channel.session())
+            .map(ConsoleUser::getName).orElse(null);
+        return appPipeline.fire(new GetVms().assignedFrom(model.name())
+            .assignedTo(user)).get().stream().findFirst();
+    }
+
+    private Set<Permission> permissions(VmDefinition vmDef, Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
@@ -488,8 +534,7 @@ private Set<Permission> vmPermissions(VmDefinition vmDef,
         return vmDef.permissionsFor(user, roles);
     }
 
-    private Set<Permission> poolPermissions(VmPool pool,
-            Session session) {
+    private Set<Permission> permissions(VmPool pool, Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
@@ -497,36 +542,60 @@ private Set<Permission> poolPermissions(VmPool pool,
         return pool.permissionsFor(user, roles);
     }
 
-    private void updateConfig(ConsoleConnection channel, ResourceModel model)
-            throws InterruptedException {
+    private Set<Permission> permissions(ResourceModel model, Session session,
+            VmPool pool, VmDefinition vmDef) throws InterruptedException {
+        var user = WebConsoleUtils.userFromSession(session)
+            .map(ConsoleUser::getName).orElse(null);
+        var roles = WebConsoleUtils.rolesFromSession(session)
+            .stream().map(ConsoleRole::getName).toList();
+        Set<Permission> result = new HashSet<>();
+        if (model.mode() == ResourceModel.Mode.POOL) {
+            if (pool == null) {
+                pool = appPipeline.fire(new GetPools()
+                    .withName(model.name())).get().stream().findFirst()
+                    .orElse(null);
+            }
+            if (pool != null) {
+                result.addAll(pool.permissionsFor(user, roles));
+            }
+        }
+        if (vmDef != null) {
+            result.addAll(vmDef.permissionsFor(user, roles));
+        }
+        return result;
+    }
+
+    private void updatePreview(ConsoleConnection channel, ResourceModel model,
+            VmDefinition vmDef) throws InterruptedException {
         channel.respond(new NotifyConletView(type(),
             model.getConletId(), "updateConfig", model.mode(), model.name()));
-        updateVmDef(channel, model);
+        updateVmDef(channel, model, vmDef);
     }
 
-    private void updateVmDef(ConsoleConnection channel, ResourceModel model)
-            throws InterruptedException {
-        if (Strings.isNullOrEmpty(model.name())) {
-            return;
+    private void updateVmDef(ConsoleConnection channel, ResourceModel model,
+            VmDefinition vmDef) throws InterruptedException {
+        Map<String, Object> data = null;
+        if (vmDef != null) {
+            model.setAssignedVm(vmDef.name());
+            try {
+                data = Map.of("metadata",
+                    Map.of("namespace", vmDef.namespace(),
+                        "name", vmDef.name()),
+                    "spec", vmDef.spec(),
+                    "status", vmDef.getStatus(),
+                    "userPermissions",
+                    permissions(model, channel.session(), null, vmDef).stream()
+                        .map(VmDefinition.Permission::toString).toList());
+            } catch (JsonSyntaxException e) {
+                logger.log(Level.SEVERE, e,
+                    () -> "Failed to serialize VM definition");
+                return;
+            }
+        } else {
+            model.setAssignedVm(null);
         }
-        appPipeline.fire(new GetVms().withName(model.name())).get().stream()
-            .findFirst().map(d -> d.definition()).ifPresent(vmDef -> {
-                try {
-                    var data = Map.of("metadata",
-                        Map.of("namespace", vmDef.namespace(),
-                            "name", vmDef.name()),
-                        "spec", vmDef.spec(),
-                        "status", vmDef.getStatus(),
-                        "userPermissions",
-                        vmPermissions(vmDef, channel.session()).stream()
-                            .map(VmDefinition.Permission::toString).toList());
-                    channel.respond(new NotifyConletView(type(),
-                        model.getConletId(), "updateVmDefinition", data));
-                } catch (JsonSyntaxException e) {
-                    logger.log(Level.SEVERE, e,
-                        () -> "Failed to serialize VM definition");
-                }
-            });
+        channel.respond(new NotifyConletView(type(),
+            model.getConletId(), "updateVmDefinition", data));
     }
 
     @Override
@@ -541,7 +610,7 @@ protected void doConletDeleted(ConletDeleted event,
     }
 
     /**
-     * Track the VM definitions.
+     * Track the VM definitions and update conlets.
      *
      * @param event the event
      * @param channel the channel
@@ -562,17 +631,43 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || model.get().mode() != ResourceModel.Mode.VM
-                    || !Objects.areEqual(model.get().name(), vmDef.name())) {
+                    || Strings.isNullOrEmpty(model.get().name())) {
                     continue;
                 }
-                if (event.type() == K8sObserver.ResponseType.DELETED
-                    || vmPermissions(vmDef, connection.session()).isEmpty()) {
-                    connection.respond(
-                        new DeleteConlet(conletId, Collections.emptySet()));
+                if (model.get().mode() == ResourceModel.Mode.VM) {
+                    // Check if this VM is used by conlet
+                    if (!Objects.areEqual(model.get().name(), vmDef.name())) {
+                        continue;
+                    }
+                    if (event.type() == K8sObserver.ResponseType.DELETED
+                        || permissions(vmDef, connection.session()).isEmpty()) {
+                        connection.respond(
+                            new DeleteConlet(conletId, Collections.emptySet()));
+                        continue;
+                    }
                 } else {
-                    updateVmDef(connection, model.get());
+                    // Check if VM is used by pool conlet or to be assigned to
+                    // it
+                    var user
+                        = WebConsoleUtils.userFromSession(connection.session())
+                            .map(ConsoleUser::getName).orElse(null);
+                    var toBeUsedByConlet = vmDef.assignedFrom()
+                        .map(p -> p.equals(model.get().name())).orElse(false)
+                        && vmDef.assignedTo().map(u -> u.equals(user))
+                            .orElse(false);
+                    if (!Objects.areEqual(model.get().assignedVm(),
+                        vmDef.name()) && !toBeUsedByConlet) {
+                        continue;
+                    }
+
+                    // Now unassigned if VM is deleted or no longer to be used
+                    if (event.type() == K8sObserver.ResponseType.DELETED
+                        || !toBeUsedByConlet) {
+                        updateVmDef(connection, model.get(), null);
+                        continue;
+                    }
                 }
+                updateVmDef(connection, model.get(), vmDef);
             }
         }
     }
@@ -598,7 +693,7 @@ public void onVmPoolChanged(VmPoolChanged event) {
                     continue;
                 }
                 if (event.deleted()
-                    || poolPermissions(event.vmPool(), connection.session())
+                    || permissions(event.vmPool(), connection.session())
                         .isEmpty()) {
                     connection.respond(
                         new DeleteConlet(conletId, Collections.emptySet()));
@@ -612,24 +707,36 @@ public void onVmPoolChanged(VmPoolChanged event) {
         "PMD.ConfusingArgumentToVarargsMethod", "PMD.NcssCount",
         "PMD.AvoidLiteralsInIfCondition" })
     protected void doUpdateConletState(NotifyConletModel event,
-            ConsoleConnection channel, ResourceModel model)
-            throws Exception {
+            ConsoleConnection channel, ResourceModel model) throws Exception {
         event.stop();
         if ("selectedResource".equals(event.method())) {
             selectResource(event, channel, model);
             return;
         }
 
-        // Handle command for selected VM
-        var vmData = appPipeline.fire(new GetVms().withName(model.name())).get()
-            .stream().findFirst();
+        Optional<VmData> vmData = getVmData(model, channel);
         if (vmData.isEmpty()) {
-            return;
+            if (model.mode() == ResourceModel.Mode.VM) {
+                return;
+            }
+            if ("start".equals(event.method())) {
+                // Assign a VM.
+                var user = WebConsoleUtils.userFromSession(channel.session())
+                    .map(ConsoleUser::getName).orElse(null);
+                vmData = Optional.ofNullable(appPipeline
+                    .fire(new AssignVm(model.name(), user)).get());
+                if (vmData.isEmpty()) {
+                    // TODO message
+                    return;
+                }
+            }
         }
+
+        // Handle command for selected VM
         var vmChannel = vmData.get().channel();
         var vmDef = vmData.get().definition();
         var vmName = vmDef.metadata().getName();
-        var perms = vmPermissions(vmDef, channel.session());
+        var perms = permissions(model, channel.session(), null, vmDef);
         var resourceBundle = resourceBundle(channel.locale());
         switch (event.method()) {
         case "start":
@@ -658,7 +765,7 @@ protected void doUpdateConletState(NotifyConletModel event,
                     .map(ConsoleUser::getName).orElse("");
                 var pwQuery
                     = Event.onCompletion(new GetDisplayPassword(vmDef, user),
-                        e -> openConsole(vmName, channel, model,
+                        e -> openConsole(vmDef, channel, model,
                             e.password().orElse(null)));
                 fire(pwQuery, vmChannel);
             }
@@ -680,33 +787,29 @@ private void selectResource(NotifyConletModel event,
             String jsonState = objectMapper.writeValueAsString(model);
             channel.respond(new KeyValueStoreUpdate().update(storagePath(
                 channel.session(), model.getConletId()), jsonState));
-            updateConfig(channel, model);
+            updatePreview(channel, model,
+                getVmData(model, channel).map(VmData::definition).orElse(null));
         } catch (IllegalArgumentException e) {
             logger.warning(() -> "Invalid resource type: " + e.getMessage());
         }
     }
 
-    private void openConsole(String vmName, ConsoleConnection connection,
+    private void openConsole(VmDefinition vmDef, ConsoleConnection connection,
             ResourceModel model, String password) {
-        VmDefinition vmDef;
-        try {
-            vmDef = appPipeline.fire(new GetVms().withName(model.name())).get()
-                .stream().findFirst().map(VmData::definition).orElse(null);
-        } catch (InterruptedException e) {
-            return;
-        }
         if (vmDef == null) {
             return;
         }
         var addr = displayIp(vmDef);
         if (addr.isEmpty()) {
-            logger.severe(() -> "Failed to find display IP for " + vmName);
+            logger
+                .severe(() -> "Failed to find display IP for " + vmDef.name());
             return;
         }
         var port = vmDef.<Number> fromVm("display", "spice", "port")
             .map(Number::longValue);
         if (port.isEmpty()) {
-            logger.severe(() -> "No port defined for display of " + vmName);
+            logger
+                .severe(() -> "No port defined for display of " + vmDef.name());
             return;
         }
         StringBuffer data = new StringBuffer(100)
@@ -799,6 +902,7 @@ public enum Mode {
 
         private Mode mode;
         private String name;
+        private String assignedVm;
 
         /**
          * Instantiates a new resource model.
@@ -809,6 +913,25 @@ public ResourceModel(@JsonProperty("conletId") String conletId) {
             super(conletId);
         }
 
+        /**
+         * Returns the mode.
+         *
+         * @return the resourceType
+         */
+        @JsonGetter("mode")
+        public Mode mode() {
+            return mode;
+        }
+
+        /**
+         * Sets the mode.
+         *
+         * @param mode the resource mode to set
+         */
+        public void setMode(Mode mode) {
+            this.mode = mode;
+        }
+
         /**
          * Gets the resource name.
          *
@@ -829,29 +952,29 @@ public void setName(String name) {
         }
 
         /**
-         * Returns the mode.
+         * Gets the assigned vm.
          *
-         * @return the resourceType
+         * @return the string
          */
-        @JsonGetter("mode")
-        public Mode mode() {
-            return mode;
+        @JsonGetter("assignedVm")
+        public String assignedVm() {
+            return assignedVm;
         }
 
         /**
-         * Sets the mode.
+         * Sets the assigned vm.
          *
-         * @param mode the resource mode to set
+         * @param name the assigned vm
          */
-        public void setMode(Mode mode) {
-            this.mode = mode;
+        public void setAssignedVm(String name) {
+            this.assignedVm = name;
         }
 
         @Override
         public int hashCode() {
             final int prime = 31;
             int result = super.hashCode();
-            result = prime * result + java.util.Objects.hash(name, mode);
+            result = prime * result + java.util.Objects.hash(mode, name);
             return result;
         }
 
@@ -867,8 +990,8 @@ public boolean equals(Object obj) {
                 return false;
             }
             ResourceModel other = (ResourceModel) obj;
-            return java.util.Objects.equals(name, other.name)
-                && mode == other.mode;
+            return mode == other.mode
+                && java.util.Objects.equals(name, other.name);
         }
 
         @Override
@@ -878,6 +1001,5 @@ public String toString() {
                 .append(", name=").append(name).append(']');
             return builder.toString();
         }
-
     }
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index c5f3da023..f00d87690 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -44,7 +44,7 @@ interface Api {
     /* eslint-disable @typescript-eslint/no-explicit-any */
     vmName: string;
     vmDefinition: any;
-    poolName: string;
+    poolName: string | null;
 }
 
 const localize = (key: string) => {
@@ -64,12 +64,21 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const previewApi: Api = reactive({
                 vmName: "",
                 vmDefinition: {},
-                poolName: ""
+                poolName: null
             });
+            const poolName = computed(() => previewApi.poolName);
+            const vmName = computed(() => previewApi.vmDefinition.name);
             const configured = computed(() => previewApi.vmDefinition.spec);
-            const startable = computed(() => previewApi.vmDefinition.spec &&
-                previewApi.vmDefinition.spec.vm.state !== 'Running' 
-                && !previewApi.vmDefinition.running);
+            const busy = computed(() => previewApi.vmDefinition.spec
+                && (previewApi.vmDefinition.spec.vm.state === 'Running'
+                        && !previewApi.vmDefinition.running
+                    || previewApi.vmDefinition.spec.vm.state === 'Stopped' 
+                        && previewApi.vmDefinition.running));
+            const startable = computed(() => previewApi.vmDefinition.spec
+                && previewApi.vmDefinition.spec.vm.state !== 'Running' 
+                && !previewApi.vmDefinition.running
+                && previewApi.vmDefinition.userPermissions.includes('start')
+                || previewApi.poolName !== null && !previewApi.vmDefinition.name);
             const stoppable = computed(() => previewApi.vmDefinition.spec &&
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
@@ -79,10 +88,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 ? previewApi.vmDefinition.userPermissions : []);
 
             watch(previewApi, (api: Api) => {
-                const name = api.vmName || api.poolName;
-                if (name !== "") {
-                    JGConsole.instance.updateConletTitle(conletId, name);
-                }
+                JGConsole.instance.updateConletTitle(conletId, 
+                    api.poolName || api.vmDefinition.name || "");
             });
         
             provideApi(previewDom, previewApi);
@@ -91,16 +98,16 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 JGConsole.notifyConletModel(conletId, action);
             };
         
-            return { localize, resourceBase, vmAction, configured,
-                        startable, stoppable, running, inUse, permissions };
+            return { localize, resourceBase, vmAction, poolName, vmName, 
+                configured, busy, startable, stoppable, running, inUse,
+                permissions };
         },
         template: `
           <table>
             <tbody>
               <tr>
                 <td rowspan="2" style="position: relative"><span
-                  style="position: absolute;" 
-                  :class="{ busy: configured && !startable && !stoppable }"
+                  style="position: absolute;" :class="{ busy: busy }"
                   ><img role=button :aria-disabled="!running
                       || !permissions.includes('accessConsole')" 
                   v-on:click="vmAction('openConsole')"
@@ -110,9 +117,12 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                   :title="localize('Open console')"></span><span
                   style="visibility: hidden;"><img
                   :src="resourceBase + 'computer.svg'"></span></td>
+                <td v-if="!poolName" style="padding: 0;"></td>
+                <td v-else>{{ vmName }}</td>
+              </tr>
+              <tr>
                 <td class="jdrupes-vmoperator-vmaccess-preview-action-list">
-                  <span role="button" 
-                    :aria-disabled="!startable || !permissions.includes('start')" 
+                  <span role="button" :aria-disabled="!startable" 
                     tabindex="0" class="fa fa-play" :title="localize('Start VM')"
                     v-on:click="vmAction('start')"></span>
                   <span role="button"
@@ -130,9 +140,6 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                   </span>
                 </td>
               </tr>
-              <tr>
-                <td></td>
-              </tr>
             </tbody>
           </table>`
     });
@@ -160,25 +167,29 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     });
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
-    "updateVmDefinition", function(conletId: string, vmDefinition: any) {
+    "updateVmDefinition", function(conletId: string, vmDefinition: any | null) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
         }
         const api = getApi<Api>(conlet.element().querySelector(
             ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
-        // Add some short-cuts for rendering
-        vmDefinition.name = vmDefinition.metadata.name;
-        vmDefinition.currentCpus = vmDefinition.status.cpus;
-        vmDefinition.currentRam = Number(vmDefinition.status.ram);
-        vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
-        for (const condition of vmDefinition.status.conditions) {
-            if (condition.type === "Running") {
-                vmDefinition.running = condition.status === "True";
-                vmDefinition.runningConditionSince 
-                    = new Date(condition.lastTransitionTime);
-                break;
+        if (vmDefinition) {
+            // Add some short-cuts for rendering
+            vmDefinition.name = vmDefinition.metadata.name;
+            vmDefinition.currentCpus = vmDefinition.status.cpus;
+            vmDefinition.currentRam = Number(vmDefinition.status.ram);
+            vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
+            for (const condition of vmDefinition.status.conditions) {
+                if (condition.type === "Running") {
+                    vmDefinition.running = condition.status === "True";
+                    vmDefinition.runningConditionSince 
+                        = new Date(condition.lastTransitionTime);
+                    break;
+                }
             }
+        } else {
+            vmDefinition = {};
         }
         api.vmDefinition = vmDefinition;
     });
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
index cf0fb56a6..86b401498 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
@@ -49,7 +49,12 @@
 
 .jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-preview {
   
+  table {
+    border-spacing: 0;
+  }
+    
   img {
+    display: block;
     height: 3em;
     padding: 0.25rem;
     

From 1cb90b0c94de5a2b9abc766cf303c3e64105c2db Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 15:25:16 +0100
Subject: [PATCH 15/35] Update GUI on pool permission changes.

---
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 33 +++++++++++++------
 .../vmaccess/browser/VmAccess-functions.ts    | 13 +++++---
 2 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index d38d379ba..4ac339796 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -559,6 +559,11 @@ private Set<Permission> permissions(ResourceModel model, Session session,
                 result.addAll(pool.permissionsFor(user, roles));
             }
         }
+        if (vmDef == null) {
+            vmDef = appPipeline.fire(new GetVms().assignedFrom(model.name())
+                .assignedTo(user)).get().stream().map(VmData::definition)
+                .findFirst().orElse(null);
+        }
         if (vmDef != null) {
             result.addAll(vmDef.permissionsFor(user, roles));
         }
@@ -567,32 +572,36 @@ private Set<Permission> permissions(ResourceModel model, Session session,
 
     private void updatePreview(ConsoleConnection channel, ResourceModel model,
             VmDefinition vmDef) throws InterruptedException {
-        channel.respond(new NotifyConletView(type(),
-            model.getConletId(), "updateConfig", model.mode(), model.name()));
+        updateConfig(channel, model, vmDef);
         updateVmDef(channel, model, vmDef);
     }
 
+    private void updateConfig(ConsoleConnection channel, ResourceModel model,
+            VmDefinition vmDef) throws InterruptedException {
+        channel.respond(new NotifyConletView(type(),
+            model.getConletId(), "updateConfig", model.mode(), model.name(),
+            permissions(model, channel.session(), null, vmDef).stream()
+                .map(VmDefinition.Permission::toString).toList()));
+    }
+
     private void updateVmDef(ConsoleConnection channel, ResourceModel model,
             VmDefinition vmDef) throws InterruptedException {
         Map<String, Object> data = null;
-        if (vmDef != null) {
+        if (vmDef == null) {
+            model.setAssignedVm(null);
+        } else {
             model.setAssignedVm(vmDef.name());
             try {
                 data = Map.of("metadata",
                     Map.of("namespace", vmDef.namespace(),
                         "name", vmDef.name()),
                     "spec", vmDef.spec(),
-                    "status", vmDef.getStatus(),
-                    "userPermissions",
-                    permissions(model, channel.session(), null, vmDef).stream()
-                        .map(VmDefinition.Permission::toString).toList());
+                    "status", vmDef.getStatus());
             } catch (JsonSyntaxException e) {
                 logger.log(Level.SEVERE, e,
                     () -> "Failed to serialize VM definition");
                 return;
             }
-        } else {
-            model.setAssignedVm(null);
         }
         channel.respond(new NotifyConletView(type(),
             model.getConletId(), "updateVmDefinition", data));
@@ -677,10 +686,12 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
      *
      * @param event the event
      * @param channel the channel
+     * @throws InterruptedException 
      */
     @Handler(namedChannels = "manager")
     @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
-    public void onVmPoolChanged(VmPoolChanged event) {
+    public void onVmPoolChanged(VmPoolChanged event)
+            throws InterruptedException {
         var poolName = event.vmPool().name();
         // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
@@ -697,7 +708,9 @@ public void onVmPoolChanged(VmPoolChanged event) {
                         .isEmpty()) {
                     connection.respond(
                         new DeleteConlet(conletId, Collections.emptySet()));
+                    continue;
                 }
+                updateConfig(connection, model.get(), null);
             }
         }
     }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index f00d87690..de65216cb 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -45,6 +45,7 @@ interface Api {
     vmName: string;
     vmDefinition: any;
     poolName: string | null;
+    permissions: string[];
 }
 
 const localize = (key: string) => {
@@ -64,7 +65,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const previewApi: Api = reactive({
                 vmName: "",
                 vmDefinition: {},
-                poolName: null
+                poolName: null,
+                permissions: []
             });
             const poolName = computed(() => previewApi.poolName);
             const vmName = computed(() => previewApi.vmDefinition.name);
@@ -77,15 +79,14 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const startable = computed(() => previewApi.vmDefinition.spec
                 && previewApi.vmDefinition.spec.vm.state !== 'Running' 
                 && !previewApi.vmDefinition.running
-                && previewApi.vmDefinition.userPermissions.includes('start')
+                && previewApi.permissions.includes('start')
                 || previewApi.poolName !== null && !previewApi.vmDefinition.name);
             const stoppable = computed(() => previewApi.vmDefinition.spec &&
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
             const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
-            const permissions = computed(() => previewApi.vmDefinition.spec
-                ? previewApi.vmDefinition.userPermissions : []);
+            const permissions = computed(() => previewApi.permissions);
 
             watch(previewApi, (api: Api) => {
                 JGConsole.instance.updateConletTitle(conletId, 
@@ -150,7 +151,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     "updateConfig",
-    function(conletId: string, type: string, resource: string) {
+    function(conletId: string, type: string, resource: string,
+        permissions: []) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
@@ -164,6 +166,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
             api.poolName = resource;
             api.vmName = "";
         }
+        api.permissions = permissions;
     });
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",

From 8799bcc8f244e1d121e5c69f5c54636705f6b0f9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 15:33:01 +0100
Subject: [PATCH 16/35] Update permissions on VM change.

---
 dev-example/test-pool.yaml                                    | 2 --
 .../src/org/jdrupes/vmoperator/vmaccess/VmAccess.java         | 4 +++-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 2ff8d061e..43c36b876 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -11,5 +11,3 @@ spec:
   - user: test
     may:
     - accessConsole
-    - start
-    - stop
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 4ac339796..e6d4e582f 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -676,7 +676,9 @@ public void onVmDefChanged(VmDefChanged event, VmChannel channel)
                         continue;
                     }
                 }
-                updateVmDef(connection, model.get(), vmDef);
+
+                // Full update because permissions may have changed
+                updatePreview(connection, model.get(), vmDef);
             }
         }
     }

From ba18e1f0d0ec5fe6467e093d3b0a83e98a011212 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 17:35:46 +0100
Subject: [PATCH 17/35] Add assigned to.

---
 .../resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties  | 3 ++-
 .../org/jdrupes/vmoperator/vmmgmt/l10n_de.properties         | 5 +++--
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts    | 2 ++
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index 88f140349..51ca610ad 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -2,7 +2,7 @@ conletName = VM Management
 
 VMsSummary = VMs (running/total)
 
-since = Since
+assignedTo = Assigned to
 currentCpus = Current CPUs
 currentRam = Current RAM
 maximumCpus = Maximum CPUs
@@ -11,6 +11,7 @@ nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
 running = Running
+since = Since
 usedBy = Used by
 usedFrom = Used from
 vmActions = Actions
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index 80e36d2d2..3e67928be 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -6,8 +6,7 @@ Period = Zeitraum
 Last\ hour = Letzte Stunde
 Last\ day = Letzter Tag
 
-running = Gestartet
-since = Seit
+assignedTo = Zugewiesen an
 currentCpus = Aktuelle CPUs
 currentRam = Akuelles RAM
 maximumCpus = Maximale CPUs
@@ -15,6 +14,8 @@ maximumRam = Maximales RAM
 nodeName = Knoten
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
+running = Gestartet
+since = Seit
 usedBy = Benutzt durch
 usedFrom = Benutzt von
 vmActions = Aktionen
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index 78f58510d..d96ad65f4 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -112,6 +112,7 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
+                ["assignedTo", "assignedTo"],
                 ["usedFrom", "usedFrom"],
                 ["usedBy", "usedBy"]
             ], {
@@ -183,6 +184,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
         vmDefinition.usedFrom = vmDefinition.status.consoleClient || "";
         vmDefinition.usedBy = vmDefinition.status.consoleUser || "";
+        vmDefinition.assignedTo = vmDefinition.status.assignment?.user || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";

From edc3596e7daebdce26185eb3f0e18ba41ca3ed26 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 18:05:38 +0100
Subject: [PATCH 18/35] Move "used from" to details.

---
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html      | 6 ++++++
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts   | 1 -
 .../org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 6b46faa75..9d0a2d498 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -103,6 +103,12 @@
                   ><span>{{ cic.error }}</span></form></td>
               </tr>
             </table>
+            <table class="table--basic table--basic--autoStriped">
+              <tr>
+                <td>{{ localize("usedFrom") }}</td>
+                <td>{{ entry.usedFrom }}</td>
+              </tr>
+            </table>
           </td>
         </tr>
       </template>
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index d96ad65f4..6ab15b879 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -113,7 +113,6 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
                 ["assignedTo", "assignedTo"],
-                ["usedFrom", "usedFrom"],
                 ["usedBy", "usedBy"]
             ], {
                 sortKey: "name",
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index e02fe24f8..607b0c582 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -78,6 +78,8 @@
     padding-left: 1em;
 
     table {
+      display: inline;
+      
       td:nth-child(2) {
         min-width: 7em;
 

From fb69c1d793c8faa7063b34d91bd4d807c4a4ebe3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 18:25:37 +0100
Subject: [PATCH 19/35] Minor style change.

---
 .../src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 607b0c582..9d7721a2e 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -75,7 +75,7 @@
   }
   
   td.details {
-    padding-left: 1em;
+    padding-left: 0;
 
     table {
       display: inline;

From 9318b1279abbe48a229d614be2f3a4d86684eacc Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 21:17:06 +0100
Subject: [PATCH 20/35] Move jackson to base library.

---
 org.jdrupes.vmoperator.common/build.gradle         | 1 +
 org.jdrupes.vmoperator.manager.events/build.gradle | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.common/build.gradle b/org.jdrupes.vmoperator.common/build.gradle
index 07877fe20..e72cb141f 100644
--- a/org.jdrupes.vmoperator.common/build.gradle
+++ b/org.jdrupes.vmoperator.common/build.gradle
@@ -13,4 +13,5 @@ dependencies {
     api 'org.jgrapes:org.jgrapes.core:[1.22.1,2)'
     api 'io.kubernetes:client-java:[19.0.0,20.0.0)'
     api 'org.yaml:snakeyaml'
+    api 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.16.1,3]'
 }
diff --git a/org.jdrupes.vmoperator.manager.events/build.gradle b/org.jdrupes.vmoperator.manager.events/build.gradle
index cfdd79e54..bb4b8d86d 100644
--- a/org.jdrupes.vmoperator.manager.events/build.gradle
+++ b/org.jdrupes.vmoperator.manager.events/build.gradle
@@ -10,5 +10,4 @@ plugins {
 
 dependencies {
     api project(':org.jdrupes.vmoperator.common')
-    api 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.16.1,3]'
 }

From a5ddf6ac977c2301569bd757898c8d65a1823684 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:32:00 +0100
Subject: [PATCH 21/35] Avoid updating immutable fields.

---
 .../vmoperator/manager/PvcReconciler.java     | 43 +++++++++++++-
 .../org/jdrupes/vmoperator/util/GsonPtr.java  | 58 ++++++++++++++++++-
 2 files changed, 97 insertions(+), 4 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index d044199c4..4ced1b135 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
 import freemarker.core.ParseException;
 import freemarker.template.Configuration;
 import freemarker.template.MalformedTemplateNameException;
@@ -25,6 +26,7 @@
 import freemarker.template.TemplateNotFoundException;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;
@@ -41,6 +43,7 @@
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.DataPath;
+import org.jdrupes.vmoperator.util.GsonPtr;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
@@ -179,17 +182,51 @@ private void reconcileRunnerDiskPvc(VmDefChanged event,
         var pvcDef = Dynamics.newFromYaml(
             new Yaml(new SafeConstructor(new LoaderOptions())), out.toString());
 
-        // Do apply changes
+        // Apply changes
         var pvcStub
             = K8sV1PvcStub.get(channel.client(), vmDef.namespace(), pvcName);
+        var pvc = pvcStub.model();
+        if (pvc.isEmpty()
+            || !"Bound".equals(pvc.get().getStatus().getPhase())) {
+            // Does not exist or isn't bound, use apply
+            PatchOptions opts = new PatchOptions();
+            opts.setForce(true);
+            opts.setFieldManager("kubernetes-java-kubectl-apply");
+            if (pvcStub.patch(V1Patch.PATCH_FORMAT_APPLY_YAML,
+                new V1Patch(channel.client().getJSON().serialize(pvcDef)), opts)
+                .isEmpty()) {
+                logger.warning(
+                    () -> "Could not patch pvc for " + pvcStub.name());
+            }
+            return;
+        }
+
+        // If bound, use json merge, omitting immutable fields
+        var spec = GsonPtr.to(pvcDef.getRaw()).to("spec");
+        spec.removeExcept("volumeAttributesClassName", "resources");
+        spec.access("resources").ifPresent(p -> p.removeExcept("requests"));
         PatchOptions opts = new PatchOptions();
-        opts.setForce(true);
         opts.setFieldManager("kubernetes-java-kubectl-apply");
-        if (pvcStub.patch(V1Patch.PATCH_FORMAT_APPLY_YAML,
+        if (pvcStub.patch(V1Patch.PATCH_FORMAT_JSON_MERGE_PATCH,
             new V1Patch(channel.client().getJSON().serialize(pvcDef)), opts)
             .isEmpty()) {
             logger.warning(
                 () -> "Could not patch pvc for " + pvcStub.name());
         }
     }
+
+    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
+    private void removeImmutable(DynamicKubernetesObject pvcDef) {
+        var spec = GsonPtr.to(pvcDef.getRaw()).to("spec").get(JsonObject.class);
+        for (var itr = spec.entrySet().iterator(); itr.hasNext();) {
+            var entry = itr.next();
+            if ("volumeAttributesClassName".equals(entry.getKey())) {
+                continue;
+            }
+            if ("resources".equals(entry.getKey())) {
+                continue;
+            }
+            itr.remove();
+        }
+    }
 }
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
index 8b84ed39a..de96ec637 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
@@ -23,6 +23,7 @@
 import com.google.gson.JsonObject;
 import com.google.gson.JsonPrimitive;
 import java.math.BigInteger;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@@ -62,7 +63,8 @@ public static GsonPtr to(JsonElement root) {
      * @param selectors the selectors
      * @return the Gson pointer
      */
-    @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace" })
+    @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace",
+        "PMD.AvoidDuplicateLiterals" })
     public GsonPtr to(Object... selectors) {
         JsonElement element = position;
         for (Object sel : selectors) {
@@ -91,6 +93,42 @@ public GsonPtr to(Object... selectors) {
         return new GsonPtr(element);
     }
 
+    /**
+     * Create a new instance pointing to the {@link JsonElement} 
+     * selected by the given selectors. If a selector of type 
+     * {@link String} denotes a non-existant member of a
+     * {@link JsonObject} the result is empty.
+     *
+     * @param selectors the selectors
+     * @return the Gson pointer
+     */
+    @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace" })
+    public Optional<GsonPtr> access(Object... selectors) {
+        JsonElement element = position;
+        for (Object sel : selectors) {
+            if (element instanceof JsonObject obj
+                && sel instanceof String member) {
+                element = obj.get(member);
+                if (element == null) {
+                    return Optional.empty();
+                }
+                continue;
+            }
+            if (element instanceof JsonArray arr
+                && sel instanceof Integer index) {
+                try {
+                    element = arr.get(index);
+                } catch (IndexOutOfBoundsException e) {
+                    throw new IllegalStateException("Selected array index"
+                        + " may not be empty.");
+                }
+                continue;
+            }
+            throw new IllegalStateException("Invalid selection");
+        }
+        return Optional.of(new GsonPtr(element));
+    }
+
     /**
      * Returns {@link JsonElement} that the pointer points to.
      *
@@ -336,4 +374,22 @@ public GsonPtr getOrSet(Object selector, String value) {
         return this;
     }
 
+    /**
+     * Removes all properties except the specified ones.
+     *
+     * @param properties the properties
+     */
+    public void removeExcept(String... properties) {
+        if (!position.isJsonObject()) {
+            return;
+        }
+        for (var itr = ((JsonObject) position).entrySet().iterator();
+                itr.hasNext();) {
+            var entry = itr.next();
+            if (Arrays.asList(properties).contains(entry.getKey())) {
+                continue;
+            }
+            itr.remove();
+        }
+    }
 }

From 80d416550050588c7567fd95b6988cf8a70b9448 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:32:27 +0100
Subject: [PATCH 22/35] Upgrade base library.

---
 org.jdrupes.vmoperator.manager/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index b581971c1..eda5ce081 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -17,7 +17,7 @@ dependencies {
     implementation 'org.jgrapes:org.jgrapes.io:[2.12.1,3)'
     implementation 'org.jgrapes:org.jgrapes.http:[3.5.0,4)'
     
-    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.1.0,3)'
+    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.2.0,3)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.vuejs:[1.8.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.rbac:[1.4.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconlet.oidclogin:[1.7.0,2)'

From 877d4c69cde50345521b6ca7858c1a2506b5b2aa Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:34:16 +0100
Subject: [PATCH 23/35] Remove obsolete method.

---
 .../jdrupes/vmoperator/manager/PvcReconciler.java | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 4ced1b135..5f10f47d8 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -214,19 +214,4 @@ private void reconcileRunnerDiskPvc(VmDefChanged event,
                 () -> "Could not patch pvc for " + pvcStub.name());
         }
     }
-
-    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-    private void removeImmutable(DynamicKubernetesObject pvcDef) {
-        var spec = GsonPtr.to(pvcDef.getRaw()).to("spec").get(JsonObject.class);
-        for (var itr = spec.entrySet().iterator(); itr.hasNext();) {
-            var entry = itr.next();
-            if ("volumeAttributesClassName".equals(entry.getKey())) {
-                continue;
-            }
-            if ("resources".equals(entry.getKey())) {
-                continue;
-            }
-            itr.remove();
-        }
-    }
 }

From 5d722abd2e95cc052124d3fe41ce27568c8be596 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:35:51 +0100
Subject: [PATCH 24/35] Add assignment based on last usage.

---
 deploy/crds/vmpools-crd.yaml                  |  9 +++
 dev-example/test-pool.yaml                    |  1 +
 .../vmoperator/common/VmDefinition.java       | 34 +++++++-
 .../org/jdrupes/vmoperator/common/VmPool.java | 38 +++++++++
 .../vmoperator/manager/PoolMonitor.java       | 40 +++++++++-
 .../jdrupes/vmoperator/manager/VmMonitor.java | 80 +++++++++++++------
 .../vmoperator/vmaccess/l10n.properties       |  1 +
 .../vmoperator/vmaccess/l10n_de.properties    |  3 +
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 12 ++-
 9 files changed, 186 insertions(+), 32 deletions(-)

diff --git a/deploy/crds/vmpools-crd.yaml b/deploy/crds/vmpools-crd.yaml
index 193d5478f..b34d096c2 100644
--- a/deploy/crds/vmpools-crd.yaml
+++ b/deploy/crds/vmpools-crd.yaml
@@ -16,6 +16,15 @@ spec:
             spec:
               type: object
               properties:
+                retention:
+                  description: >-
+                    Defines the timeout for assignments. The time may be
+                    specified as ISO 8601 time or duration. When specifying
+                    a duration, it will be added to the last time the VM's 
+                    console was used to obtain the timeout.
+                  type: string
+                  pattern: '^(?:\d{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])T(?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d(?:\.\d{1,9})?(?:Z|[+-](?:[01]\d|2[0-3])(?:|:?[0-5]\d))|P(?:\d+Y)?(?:\d+M)?(?:\d+W)?(?:\d+D)?(?:T(?:\d+[Hh])?(?:\d+[Mm])?(?:\d+(?:\.\d{1,9})?[Ss])?)?)$'
+                  default: "PT1h"
                 permissions:
                   type: array
                   description: >-
diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 43c36b876..96289e366 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -4,6 +4,7 @@ metadata:
   namespace: vmop-dev
   name: test-vms
 spec:
+  retention: "PT1m"
   permissions:
   - user: admin
     may:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 375612bbe..2742b888b 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -18,7 +18,11 @@
 
 package org.jdrupes.vmoperator.common;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import io.kubernetes.client.openapi.models.V1Condition;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
+import java.time.Instant;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.EnumSet;
@@ -36,9 +40,12 @@
 /**
  * Represents a VM definition.
  */
-@SuppressWarnings({ "PMD.DataClass" })
+@SuppressWarnings({ "PMD.DataClass", "PMD.TooManyMethods" })
 public class VmDefinition {
 
+    private static ObjectMapper objectMapper
+        = new ObjectMapper().registerModule(new JavaTimeModule());
+
     private String kind;
     private String apiVersion;
     private V1ObjectMeta metadata;
@@ -306,6 +313,31 @@ public Optional<String> assignedTo() {
         return fromStatus("assignment", "user");
     }
 
+    /**
+     * Last usage of assigned VM.
+     *
+     * @return the optional
+     */
+    public Optional<Instant> assignmentLastUsed() {
+        return this.<String> fromStatus("assignment", "lastUsed")
+            .map(Instant::parse);
+    }
+
+    /**
+     * Return a condition from the status.
+     *
+     * @param name the condition's name
+     * @return the status, if the condition is defined
+     */
+    public Optional<V1Condition> condition(String name) {
+        return this.<List<Map<String, Object>>> fromStatus("conditions")
+            .orElse(Collections.emptyList()).stream()
+            .filter(cond -> DataPath.get(cond, "type")
+                .map(name::equals).orElse(false))
+            .findFirst()
+            .map(cond -> objectMapper.convertValue(cond, V1Condition.class));
+    }
+
     /**
      * Return a condition's status.
      *
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 426a69cd8..8bf6dee1b 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -18,6 +18,8 @@
 
 package org.jdrupes.vmoperator.common;
 
+import java.time.Duration;
+import java.time.Instant;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -36,6 +38,7 @@
 public class VmPool {
 
     private String name;
+    private String retention;
     private boolean defined;
     private List<Grant> permissions = Collections.emptyList();
     private final Set<String> vms
@@ -86,6 +89,24 @@ public void setDefined(boolean defined) {
         this.defined = defined;
     }
 
+    /**
+     * Gets the retention.
+     *
+     * @return the retention
+     */
+    public String retention() {
+        return retention;
+    }
+
+    /**
+     * Sets the retention.
+     *
+     * @param retention the retention to set
+     */
+    public void setRetention(String retention) {
+        this.retention = retention;
+    }
+
     /**
      * Permissions granted for a VM from the pool.
      *
@@ -113,6 +134,11 @@ public Set<String> vms() {
         return vms;
     }
 
+    /**
+     * To string.
+     *
+     * @return the string
+     */
     @Override
     @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
     public String toString() {
@@ -147,4 +173,16 @@ public Set<Permission> permissionsFor(String user,
             .flatMap(Function.identity()).collect(Collectors.toSet());
     }
 
+    /**
+     * Return the instant until which an assignment should be retained.
+     *
+     * @param lastUsed the last used
+     * @return the instant
+     */
+    public Instant retainUntil(Instant lastUsed) {
+        if (retention.startsWith("P")) {
+            return lastUsed.plus(Duration.parse(retention));
+        }
+        return Instant.parse(retention);
+    }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index e11f667b5..4a7a1cb1f 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -18,21 +18,26 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.Watch;
 import java.io.IOException;
+import java.time.Instant;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicModel;
 import org.jdrupes.vmoperator.common.K8sDynamicModels;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
+import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
 import org.jdrupes.vmoperator.manager.events.GetPools;
@@ -129,6 +134,7 @@ protected void handleChange(K8sClient client,
         var vmPool = pools.computeIfAbsent(poolName, k -> new VmPool(poolName));
         var newData = client().getJSON().getGson().fromJson(
             GsonPtr.to(poolModel.data()).to("spec").get(), VmPool.class);
+        vmPool.setRetention(newData.retention());
         vmPool.setPermissions(newData.permissions());
         vmPool.setDefined(true);
         poolPipeline.fire(new VmPoolChanged(vmPool));
@@ -138,13 +144,15 @@ protected void handleChange(K8sClient client,
      * Track VM definition changes.
      *
      * @param event the event
+     * @throws ApiException 
      */
     @Handler
-    public void onVmDefChanged(VmDefChanged event) {
-        String vmName = event.vmDefinition().name();
+    public void onVmDefChanged(VmDefChanged event) throws ApiException {
+        final var vmDef = event.vmDefinition();
+        final String vmName = vmDef.name();
         switch (event.type()) {
         case ADDED:
-            event.vmDefinition().<List<String>> fromSpec("pools")
+            vmDef.<List<String>> fromSpec("pools")
                 .orElse(Collections.emptyList()).stream().forEach(p -> {
                     pools.computeIfAbsent(p, k -> new VmPool(p))
                         .vms().add(vmName);
@@ -157,10 +165,34 @@ public void onVmDefChanged(VmDefChanged event) {
                     poolPipeline.fire(new VmPoolChanged(p));
                 }
             });
-            break;
+            return;
         default:
             break;
         }
+
+        // Sync last usage to console state change if user matches
+        var assignedTo = vmDef.assignedTo().orElse(null);
+        if (assignedTo == null || !assignedTo
+            .equals(vmDef.<String> fromStatus("consoleUser").orElse(null))) {
+            return;
+        }
+        var lastUsed
+            = vmDef.assignmentLastUsed().orElse(Instant.ofEpochSecond(0));
+        var conChange = vmDef.condition("ConsoleConnected")
+            .map(c -> c.getLastTransitionTime().toInstant())
+            .orElse(Instant.ofEpochSecond(0));
+        if (!conChange.isAfter(lastUsed)) {
+            return;
+        }
+        var vmStub = VmDefinitionStub.get(client(),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            vmDef.namespace(), vmDef.name());
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            var assignment = GsonPtr.to(status).to("assignment");
+            assignment.set("lastUsed", conChange.toString());
+            return status;
+        });
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index b8ba46792..9b6f75fcf 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023,2024 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -25,7 +25,9 @@
 import io.kubernetes.client.util.Watch;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
+import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Comparator;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
@@ -43,10 +45,12 @@
 import org.jdrupes.vmoperator.common.VmDefinitionModel;
 import org.jdrupes.vmoperator.common.VmDefinitionModels;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
+import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
+import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
@@ -245,28 +249,59 @@ public void onGetVms(GetVms event) {
      *
      * @param event the event
      * @throws ApiException the api exception
+     * @throws InterruptedException 
      */
     @Handler
-    public void onAssignVm(AssignVm event) throws ApiException {
-        // Search for existing assignment.
-        var assignedVm = channelManager.channels().stream()
-            .filter(c -> c.vmDefinition().assignedFrom()
-                .map(p -> p.equals(event.fromPool())).orElse(false))
-            .filter(c -> c.vmDefinition().assignedTo()
-                .map(u -> u.equals(event.toUser())).orElse(false))
-            .findFirst();
-        if (assignedVm.isPresent()) {
-            event.setResult(new VmData(assignedVm.get().vmDefinition(),
-                assignedVm.get()));
-            return;
-        }
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    public void onAssignVm(AssignVm event)
+            throws ApiException, InterruptedException {
+        VmPool vmPool = null;
+        while (true) {
+            // Search for existing assignment.
+            var assignedVm = channelManager.channels().stream()
+                .filter(c -> c.vmDefinition().assignedFrom()
+                    .map(p -> p.equals(event.fromPool())).orElse(false))
+                .filter(c -> c.vmDefinition().assignedTo()
+                    .map(u -> u.equals(event.toUser())).orElse(false))
+                .findFirst();
+            if (assignedVm.isPresent()) {
+                var vmDef = assignedVm.get().vmDefinition();
+                event.setResult(new VmData(vmDef, assignedVm.get()));
+                return;
+            }
 
-        // Find available VM.
-        assignedVm = channelManager.channels().stream()
-            .filter(c -> c.vmDefinition().pools().contains(event.fromPool()))
-            .filter(c -> c.vmDefinition().assignedTo().isEmpty())
-            .findFirst();
-        if (assignedVm.isPresent()) {
+            // Get the pool definition for retention time calculations
+            if (vmPool == null) {
+                vmPool = newEventPipeline().fire(new GetPools()
+                    .withName(event.fromPool())).get().stream().findFirst()
+                    .orElse(null);
+                if (vmPool == null) {
+                    return;
+                }
+            }
+
+            // Find available VM.
+            var pool = vmPool;
+            assignedVm = channelManager.channels().stream()
+                .filter(c -> c.vmDefinition().pools()
+                    .contains(event.fromPool()))
+                .filter(c -> !c.vmDefinition()
+                    .conditionStatus("ConsoleConnected").orElse(false))
+                .filter(c -> c.vmDefinition().assignedTo().isEmpty()
+                    || pool.retainUntil(c.vmDefinition()
+                        .<String> fromStatus("assignment", "lastUsed")
+                        .map(Instant::parse).orElse(Instant.ofEpochSecond(0)))
+                        .isBefore(Instant.now()))
+                .sorted(Comparator.comparing(c -> c.vmDefinition()
+                    .assignmentLastUsed().orElse(Instant.ofEpochSecond(0))))
+                .findFirst();
+
+            // None found
+            if (assignedVm.isEmpty()) {
+                return;
+            }
+
+            // Assign to user
             var vmDef = assignedVm.get().vmDefinition();
             var vmStub = VmDefinitionStub.get(client(),
                 new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
@@ -276,14 +311,13 @@ public void onAssignVm(AssignVm event) throws ApiException {
                 var assignment = GsonPtr.to(status).to("assignment");
                 assignment.set("pool", event.fromPool());
                 assignment.set("user", event.toUser());
+                assignment.set("lastUsed", Instant.now().toString());
                 return status;
             });
 
-            // Always start a newly assigned VM.
+            // Make sure that a newly assigned VM is running.
             fire(new ModifyVm(vmDef.name(), "state", "Running",
                 assignedVm.get()));
-            event.setResult(new VmData(vmDef, assignedVm.get()));
         }
     }
-
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
index d755e7a87..6305a4b69 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
@@ -5,3 +5,4 @@ okayLabel = Apply and Close
 confirmResetTitle = Confirm reset
 confirmResetMsg = Resetting the VM may cause loss of data. \
   Please confirm to continue.
+poolEmptyNotification = No VM available. Please consult your administrator.
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index 7d4ff231c..dbd3b112c 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -11,3 +11,6 @@ Open\ console = Konsole anzeigen
 confirmResetTitle = Zurücksetzen bestätigen
 confirmResetMsg = Zurücksetzen der VM kann zu Datenverlust führen. \
   Bitte bestätigen um fortzufahren.
+poolEmptyNotification = Keine VM verfügbar. Wenden Sie sich bitte an den \
+  Systemadministrator.
+  
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index e6d4e582f..5c7230991 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -86,6 +86,7 @@
 import org.jgrapes.webconsole.base.events.ConsolePrepared;
 import org.jgrapes.webconsole.base.events.ConsoleReady;
 import org.jgrapes.webconsole.base.events.DeleteConlet;
+import org.jgrapes.webconsole.base.events.DisplayNotification;
 import org.jgrapes.webconsole.base.events.NotifyConletModel;
 import org.jgrapes.webconsole.base.events.NotifyConletView;
 import org.jgrapes.webconsole.base.events.OpenModalDialog;
@@ -717,10 +718,9 @@ public void onVmPoolChanged(VmPoolChanged event)
         }
     }
 
-    @Override
-    @SuppressWarnings({ "PMD.AvoidDecimalLiteralsInBigDecimalConstructor",
-        "PMD.ConfusingArgumentToVarargsMethod", "PMD.NcssCount",
+    @SuppressWarnings({ "PMD.NcssCount", "PMD.CognitiveComplexity",
         "PMD.AvoidLiteralsInIfCondition" })
+    @Override
     protected void doUpdateConletState(NotifyConletModel event,
             ConsoleConnection channel, ResourceModel model) throws Exception {
         event.stop();
@@ -741,7 +741,11 @@ protected void doUpdateConletState(NotifyConletModel event,
                 vmData = Optional.ofNullable(appPipeline
                     .fire(new AssignVm(model.name(), user)).get());
                 if (vmData.isEmpty()) {
-                    // TODO message
+                    ResourceBundle resourceBundle
+                        = resourceBundle(channel.locale());
+                    channel.respond(new DisplayNotification(
+                        resourceBundle.getString("poolEmptyNotification"),
+                        Map.of("autoClose", 15_000, "type", "Error")));
                     return;
                 }
             }

From 2a70c74234c6fc354403eb7444f00117b32cd372 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:39:22 +0100
Subject: [PATCH 25/35] Use consistent method names.

---
 .../manager/ConfigMapReconciler.java           |  4 ++--
 .../vmoperator/manager/PvcReconciler.java      |  2 +-
 .../org/jdrupes/vmoperator/util/GsonPtr.java   | 18 +++++++++---------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 68ca7faf0..9c6dc3ea9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -86,14 +86,14 @@ public Map<String, Object> reconcile(Map<String, Object> model,
         // Maybe override logging.properties from reconciler configuration.
         DataPath.<String> get(model, "reconciler", "loggingProperties")
             .ifPresent(props -> {
-                GsonPtr.to(mapDef.getRaw()).get(JsonObject.class, "data")
+                GsonPtr.to(mapDef.getRaw()).getAs(JsonObject.class, "data")
                     .get().addProperty("logging.properties", props);
             });
 
         // Maybe override logging.properties from VM definition.
         DataPath.<String> get(model, "cr", "spec", "loggingProperties")
             .ifPresent(props -> {
-                GsonPtr.to(mapDef.getRaw()).get(JsonObject.class, "data")
+                GsonPtr.to(mapDef.getRaw()).getAs(JsonObject.class, "data")
                     .get().addProperty("logging.properties", props);
             });
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 5f10f47d8..caae5a39d 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -204,7 +204,7 @@ private void reconcileRunnerDiskPvc(VmDefChanged event,
         // If bound, use json merge, omitting immutable fields
         var spec = GsonPtr.to(pvcDef.getRaw()).to("spec");
         spec.removeExcept("volumeAttributesClassName", "resources");
-        spec.access("resources").ifPresent(p -> p.removeExcept("requests"));
+        spec.get("resources").ifPresent(p -> p.removeExcept("requests"));
         PatchOptions opts = new PatchOptions();
         opts.setFieldManager("kubernetes-java-kubectl-apply");
         if (pvcStub.patch(V1Patch.PATCH_FORMAT_JSON_MERGE_PATCH,
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
index de96ec637..36c3444e8 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
@@ -103,7 +103,7 @@ public GsonPtr to(Object... selectors) {
      * @return the Gson pointer
      */
     @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace" })
-    public Optional<GsonPtr> access(Object... selectors) {
+    public Optional<GsonPtr> get(Object... selectors) {
         JsonElement element = position;
         for (Object sel : selectors) {
             if (element instanceof JsonObject obj
@@ -147,7 +147,7 @@ public JsonElement get() {
      * @return the result
      */
     @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop" })
-    public <T extends JsonElement> T get(Class<T> cls) {
+    public <T extends JsonElement> T getAs(Class<T> cls) {
         if (cls.isAssignableFrom(position.getClass())) {
             return cls.cast(position);
         }
@@ -166,7 +166,7 @@ public <T extends JsonElement> T get(Class<T> cls) {
      */
     @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop" })
     public <T extends JsonElement> Optional<T>
-            get(Class<T> cls, Object... selectors) {
+            getAs(Class<T> cls, Object... selectors) {
         JsonElement element = position;
         for (Object sel : selectors) {
             if (element instanceof JsonObject obj
@@ -201,7 +201,7 @@ public <T extends JsonElement> T get(Class<T> cls) {
      * @return the as string
      */
     public Optional<String> getAsString(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsString);
     }
 
@@ -212,7 +212,7 @@ public Optional<String> getAsString(Object... selectors) {
      * @return the as string
      */
     public Optional<Integer> getAsInt(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsInt);
     }
 
@@ -223,7 +223,7 @@ public Optional<Integer> getAsInt(Object... selectors) {
      * @return the as string
      */
     public Optional<BigInteger> getAsBigInteger(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsBigInteger);
     }
 
@@ -234,7 +234,7 @@ public Optional<BigInteger> getAsBigInteger(Object... selectors) {
      * @return the as string
      */
     public Optional<Long> getAsLong(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsLong);
     }
 
@@ -245,7 +245,7 @@ public Optional<Long> getAsLong(Object... selectors) {
      * @return the boolean
      */
     public Optional<Boolean> getAsBoolean(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsBoolean);
     }
 
@@ -260,7 +260,7 @@ public Optional<Boolean> getAsBoolean(Object... selectors) {
     @SuppressWarnings("unchecked")
     public <T extends JsonElement> List<T> getAsListOf(Class<T> cls,
             Object... selectors) {
-        return get(JsonArray.class, selectors).map(a -> (List<T>) a.asList())
+        return getAs(JsonArray.class, selectors).map(a -> (List<T>) a.asList())
             .orElse(Collections.emptyList());
     }
 

From a0d626cc319f22966ac843201f7d0a878a3c2592 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:40:51 +0100
Subject: [PATCH 26/35] Fix warnings.

---
 .../org/jdrupes/vmoperator/common/K8sClusterGenericStub.java | 5 +++--
 .../src/org/jdrupes/vmoperator/manager/PvcReconciler.java    | 2 --
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
index 81a4eaba7..af87af211 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
@@ -45,7 +45,8 @@
  * @param <O> the generic type
  * @param <L> the generic type
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
+    "PMD.CouplingBetweenObjects" })
 public class K8sClusterGenericStub<O extends KubernetesObject,
         L extends KubernetesListObject> {
     protected final K8sClient client;
@@ -373,7 +374,7 @@ R create(Class<O> objectClass, Class<L> objectListClass,
     public static <O extends KubernetesObject, L extends KubernetesListObject,
             R extends K8sClusterGenericStub<O, L>>
             Collection<R> list(Class<O> objectClass, Class<L> objectListClass,
-                    K8sClient client, APIResource context, 
+                    K8sClient client, APIResource context,
                     ListOptions options, GenericSupplier<O, L, R> provider)
                     throws ApiException {
         var result = new ArrayList<R>();
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index caae5a39d..34085f095 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -18,7 +18,6 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonObject;
 import freemarker.core.ParseException;
 import freemarker.template.Configuration;
 import freemarker.template.MalformedTemplateNameException;
@@ -26,7 +25,6 @@
 import freemarker.template.TemplateNotFoundException;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;

From 574ad5226bd5d03b4b46566b82b767544a047700 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 14:33:56 +0100
Subject: [PATCH 27/35] Fix typescript error.

---
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index 6ab15b879..f18836a3e 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -75,17 +75,17 @@ window.orgJDrupesVmOperatorVmMgmt.initPreview = (previewDom: HTMLElement,
                 chart = new CpuRamChart(canvas, chartData);
             })
 
-            watch(chartDateUpdate, (_) => {
+            watch(chartDateUpdate, (_: never) => {
                 chart?.update();
             })
 
-            watch(JGWC.langRef(), (_) => {
+            watch(JGWC.langRef(), (_: never) => {
                 chart?.localizeChart();
             })
 
             const period: Ref<string> = ref<string>("day");
             
-            watch(period, (_) => { 
+            watch(period, (_: never) => { 
                 const hours = (period.value === "day") ? 24 : 1;
                 chart?.setPeriod(hours * 3600 * 1000);
             });

From 53a58a2aca1fdda39e159ab2064fbfca08230d61 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 15:12:49 +0100
Subject: [PATCH 28/35] Add users for pool testing.

---
 dev-example/config.yaml        | 18 ++++++++++++++----
 dev-example/kustomization.yaml | 14 ++++++++++++--
 dev-example/test-pool.yaml     |  2 +-
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index f2e05633f..c0dc4b1a2 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -40,15 +40,25 @@
           - name: admin
             fullName: Administrator
             password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
-          - name: test
-            fullName: Test Account
+          - name: test1
+            fullName: Test Account 1
+            password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+          - name: test2
+            fullName: Test Account 2
+            password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+          - name: test3
+            fullName: Test Account 3
             password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
         "/RoleConfigurator":
           rolesByUser:
             # User admin has role admin
             admin:
             - admin
-            test:
+            test1:
+            - user
+            test2:
+            - user
+            test3:
             - user
             # All users have role other
             "*":
@@ -60,7 +70,7 @@
             admin:
             - "*"
             user:
-            - org.jdrupes.vmoperator.vmviewer.VmViewer
+            - org.jdrupes.vmoperator.vmaccess.VmAccess
             # Others cannot use any conlet (except login conlet to log out)
             other:
             - org.jgrapes.webconlet.oidclogin.LoginConlet
diff --git a/dev-example/kustomization.yaml b/dev-example/kustomization.yaml
index 7dc4a1575..975d95f9f 100644
--- a/dev-example/kustomization.yaml
+++ b/dev-example/kustomization.yaml
@@ -54,7 +54,13 @@ patches:
                   - name: admin
                     fullName: Administrator
                     password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
-                  - name: test
+                  - name: test1
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                  - name: test2
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                  - name: test3
                     fullName: Test Account
                     password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
                 "/RoleConfigurator":
@@ -62,7 +68,11 @@ patches:
                     # User admin has role admin
                     admin:
                     - admin
-                    test:
+                    test1:
+                    - user
+                    test2:
+                    - user
+                    test3:
                     - user
                     # All users have role other
                     "*":
diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 96289e366..82b91317d 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -9,6 +9,6 @@ spec:
   - user: admin
     may:
     - accessConsole
-  - user: test
+  - role: user
     may:
     - accessConsole

From aaf1a0c545790aa55a3a120c5f22e27fd9f01cac Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 22:27:07 +0100
Subject: [PATCH 29/35] Add operator for testing.

---
 dev-example/config.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index c0dc4b1a2..586a16ef0 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -40,6 +40,9 @@
           - name: admin
             fullName: Administrator
             password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
+          - name: operator
+            fullName: Operator
+            password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
           - name: test1
             fullName: Test Account 1
             password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
@@ -54,6 +57,8 @@
             # User admin has role admin
             admin:
             - admin
+            operator:
+            - operator
             test1:
             - user
             test2:
@@ -69,6 +74,8 @@
             # Admins can use all conlets
             admin:
             - "*"
+            operator:
+            - org.jdrupes.vmoperator.vmaccess.VmAccess
             user:
             - org.jdrupes.vmoperator.vmaccess.VmAccess
             # Others cannot use any conlet (except login conlet to log out)

From 224855efd3b12350966030c5453d34120fcca146 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 22:27:52 +0100
Subject: [PATCH 30/35] Disable empty lists.

---
 .../org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
index afbff3a99..a34f72597 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
@@ -10,7 +10,8 @@
         <ul>
           <li>
             <label>
-              <input v-model="resource" type="radio" value="vm">
+              <input v-model="resource" type="radio" value="vm"
+                <#if vmNames?size == 0>:disabled="true"</#if>label>
               <span>{{ localize("VM") }}</span>
               <select v-model="vmNameInput" :disabled="resource !== 'vm'">
               <#list vmNames as name>
@@ -21,7 +22,8 @@
           </li>
           <li>
             <label>
-              <input v-model="resource" type="radio" value="pool">
+              <input v-model="resource" type="radio" value="pool"
+                <#if poolNames?size == 0>:disabled="true"</#if>>
               <span>{{ localize("Pool") }}</span>
               <select v-model="poolNameInput" :disabled="resource !== 'pool'">
               <#list poolNames as name>

From 981cbe274456f3c674a94093ae85ec9cb1aed1f0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 14:52:26 +0100
Subject: [PATCH 31/35] Improve readability.

---
 .../vmoperator/common/VmDefinition.java       | 18 ++++++++
 .../vmoperator/manager/PoolMonitor.java       | 22 ++++-----
 .../jdrupes/vmoperator/manager/VmMonitor.java | 45 +++++++++++++++----
 3 files changed, 65 insertions(+), 20 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 2742b888b..da639f46f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -353,6 +353,24 @@ public Optional<Boolean> conditionStatus(String name) {
                 .map("True"::equals).orElse(false));
     }
 
+    /**
+     * Return true if the console is in use.
+     *
+     * @return true, if successful
+     */
+    public boolean consoleConnected() {
+        return conditionStatus("ConsoleConnected").orElse(false);
+    }
+
+    /**
+     * Return the last known console user.
+     *
+     * @return the optional
+     */
+    public Optional<String> consoleUser() {
+        return this.<String> fromStatus("consoleUser");
+    }
+
     /**
      * Set extra data (locally used, unknown to kubernetes).
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 4a7a1cb1f..060665072 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -23,7 +23,6 @@
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.Watch;
 import java.io.IOException;
-import java.time.Instant;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -171,17 +170,18 @@ vmDef.<List<String>> fromSpec("pools")
         }
 
         // Sync last usage to console state change if user matches
-        var assignedTo = vmDef.assignedTo().orElse(null);
-        if (assignedTo == null || !assignedTo
-            .equals(vmDef.<String> fromStatus("consoleUser").orElse(null))) {
+        if (vmDef.assignedTo()
+            .map(at -> at.equals(vmDef.consoleUser().orElse(null)))
+            .orElse(true)) {
             return;
         }
-        var lastUsed
-            = vmDef.assignmentLastUsed().orElse(Instant.ofEpochSecond(0));
-        var conChange = vmDef.condition("ConsoleConnected")
-            .map(c -> c.getLastTransitionTime().toInstant())
-            .orElse(Instant.ofEpochSecond(0));
-        if (!conChange.isAfter(lastUsed)) {
+
+        var ccChange = vmDef.condition("ConsoleConnected")
+            .map(cc -> cc.getLastTransitionTime().toInstant());
+        if (ccChange
+            .map(tt -> vmDef.assignmentLastUsed().map(alu -> alu.isAfter(tt))
+                .orElse(true))
+            .orElse(true)) {
             return;
         }
         var vmStub = VmDefinitionStub.get(client(),
@@ -190,7 +190,7 @@ vmDef.<List<String>> fromSpec("pools")
         vmStub.updateStatus(from -> {
             JsonObject status = from.status();
             var assignment = GsonPtr.to(status).to("assignment");
-            assignment.set("lastUsed", conChange.toString());
+            assignment.set("lastUsed", ccChange.get().toString());
             return status;
         });
     }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 9b6f75fcf..102a6c9cd 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -283,15 +283,7 @@ public void onAssignVm(AssignVm event)
             // Find available VM.
             var pool = vmPool;
             assignedVm = channelManager.channels().stream()
-                .filter(c -> c.vmDefinition().pools()
-                    .contains(event.fromPool()))
-                .filter(c -> !c.vmDefinition()
-                    .conditionStatus("ConsoleConnected").orElse(false))
-                .filter(c -> c.vmDefinition().assignedTo().isEmpty()
-                    || pool.retainUntil(c.vmDefinition()
-                        .<String> fromStatus("assignment", "lastUsed")
-                        .map(Instant::parse).orElse(Instant.ofEpochSecond(0)))
-                        .isBefore(Instant.now()))
+                .filter(c -> isAssignable(pool, c.vmDefinition()))
                 .sorted(Comparator.comparing(c -> c.vmDefinition()
                     .assignmentLastUsed().orElse(Instant.ofEpochSecond(0))))
                 .findFirst();
@@ -320,4 +312,39 @@ public void onAssignVm(AssignVm event)
                 assignedVm.get()));
         }
     }
+
+    @SuppressWarnings("PMD.SimplifyBooleanReturns")
+    private boolean isAssignable(VmPool pool, VmDefinition vmDef) {
+        // Check if the VM is in the pool
+        if (!vmDef.pools().contains(pool.name())) {
+            return false;
+        }
+
+        // Check if the VM is not in use
+        if (vmDef.consoleConnected()) {
+            return false;
+        }
+
+        // If not assigned, it's usable
+        if (vmDef.assignedTo().isEmpty()) {
+            return true;
+        }
+
+        // Check if it is to be retained
+        if (vmDef.assignmentLastUsed()
+            .map(lu -> pool.retainUntil(lu))
+            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
+            return false;
+        }
+
+        // Additional check in case lastUsed has not been updated
+        // by PoolMonitor#onVmDefChanged() yet ("race condition")
+        if (vmDef.condition("ConsoleConnected")
+            .map(cc -> cc.getLastTransitionTime().toInstant())
+            .map(t -> pool.retainUntil(t))
+            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
+            return false;
+        }
+        return true;
+    }
 }

From e7cc7cc879b1870de86df0c36a4a3a082db0e0d0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 15:58:38 +0100
Subject: [PATCH 32/35] Enhance console connection entry.

---
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html     | 7 ++++++-
 .../org/jdrupes/vmoperator/vmmgmt/l10n.properties          | 1 +
 .../org/jdrupes/vmoperator/vmmgmt/l10n_de.properties       | 1 +
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts  | 2 +-
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss    | 4 ++++
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 9d0a2d498..a57c53399 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -34,7 +34,7 @@
           :aria-expanded="(entry.name in detailsByName) ? 'true' : 'false'">
           <td v-for="key in controller.keys" 
             v-bind:class="'column-' + key"
-            v-bind:title="key == 'name' ? entry['name']: false"
+            v-bind:title="key == 'name' ? entry['name'] : null"
             v-bind:rowspan="(key == 'name') && $aash.isDisclosed(scopedId(rowIndex)) ? 2 : false">
             <aash-disclosure-button v-if="key === 'name'" :type="'div'"
               :id-ref="scopedId(rowIndex)">
@@ -48,6 +48,11 @@
               >{{ shortDateTime(entry[key].toString()) }}</span>
             <span v-else-if="key === 'currentRam'"
               >{{ formatMemory(entry[key]) }}</span>
+            <span v-else-if="key === 'usedBy'"
+              :class="{ 'console-conection-closed' : !entry.usedFrom }"
+              :title="entry.usedFrom ? localize('usedFrom') 
+                + ' ' + entry.usedFrom : localize('notInUse')"
+              v-html="controller.breakBeforeDots(entry[key])"></span>
             <span v-else
               v-html="controller.breakBeforeDots(entry[key])"></span>
           </td>
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index 51ca610ad..0ab15fd60 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -7,6 +7,7 @@ currentCpus = Current CPUs
 currentRam = Current RAM
 maximumCpus = Maximum CPUs
 maximumRam = Maximum RAM
+notInUse = Currently closed
 nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index 3e67928be..c8d8c4dfd 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -12,6 +12,7 @@ currentRam = Akuelles RAM
 maximumCpus = Maximale CPUs
 maximumRam = Maximales RAM
 nodeName = Knoten
+notInUse = Derzeit geschlossen
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
 running = Gestartet
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index f18836a3e..d8247ba4e 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -164,7 +164,7 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
             return {
                 controller, vmInfos, filteredData, detailsByName, localize, 
                 shortDateTime, formatMemory, vmAction, cic, parseMemory,
-                maximumCpus,
+                maximumCpus, 
                 scopedId: (id: string) => { return idScope.scopedId(id); }
             };
         }
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 9d7721a2e..3a3f0d75b 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -72,6 +72,10 @@
         }
       }
     }
+    
+    .console-conection-closed {
+      color: var(--disabled);
+    }
   }
   
   td.details {

From 3ca632c8dab3047a7f42013ae023a4a932d66c9f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 17:21:36 +0100
Subject: [PATCH 33/35] Exchange columns.

---
 .../org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index d8247ba4e..c7f851902 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -112,8 +112,8 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
-                ["assignedTo", "assignedTo"],
-                ["usedBy", "usedBy"]
+                ["usedBy", "usedBy"],
+                ["assignedTo", "assignedTo"]
             ], {
                 sortKey: "name",
                 sortOrder: "up"

From 1b5ad5b73e0e98edc8bca1e99618c764e3af5f35 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 21:49:37 +0100
Subject: [PATCH 34/35] Prevent unauthorized console take over.

---
 deploy/crds/vms-crd.yaml                         |  5 +++++
 .../jdrupes/vmoperator/common/VmDefinition.java  |  2 +-
 .../jdrupes/vmoperator/vmaccess/l10n.properties  |  1 +
 .../vmoperator/vmaccess/l10n_de.properties       |  1 +
 .../jdrupes/vmoperator/vmaccess/VmAccess.java    | 16 +++++++++++++---
 5 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 9d7bbb859..7b46dc704 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -994,6 +994,10 @@ spec:
                   type: array
                   description: >-
                     Defines permissions for accessing and manipulating the VM.
+                    The meaning of most permissions should be obvious. The
+                    difference between "accessConsole" and "takeConsole" is
+                    that "takeConsole" allows the user to take control of
+                    the console even if it is already in use by another user.
                   items:
                     type: object
                     description: >-
@@ -1017,6 +1021,7 @@ spec:
                           - stop
                           - reset
                           - accessConsole
+                          - takeConsole
                           - "*"
                         default: []
                 pools:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index da639f46f..f577d2891 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -65,7 +65,7 @@ public enum RequestedVmState {
      */
     public enum Permission {
         START("start"), STOP("stop"), RESET("reset"),
-        ACCESS_CONSOLE("accessConsole");
+        ACCESS_CONSOLE("accessConsole"), TAKE_CONSOLE("takeConsole");
 
         @SuppressWarnings("PMD.UseConcurrentHashMap")
         private static Map<String, Permission> reprs = new HashMap<>();
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
index 6305a4b69..8f4051ec5 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
@@ -5,4 +5,5 @@ okayLabel = Apply and Close
 confirmResetTitle = Confirm reset
 confirmResetMsg = Resetting the VM may cause loss of data. \
   Please confirm to continue.
+consoleTakenNotification = Console access is locked by another user.
 poolEmptyNotification = No VM available. Please consult your administrator.
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index dbd3b112c..e51eb5eff 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -11,6 +11,7 @@ Open\ console = Konsole anzeigen
 confirmResetTitle = Zurücksetzen bestätigen
 confirmResetMsg = Zurücksetzen der VM kann zu Datenverlust führen. \
   Bitte bestätigen um fortzufahren.
+consoleTakenNotification = Die Konsole wird von einem anderen Benutzer verwendet.
 poolEmptyNotification = Keine VM verfügbar. Wenden Sie sich bitte an den \
   Systemadministrator.
   
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 5c7230991..5f2d747e0 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -779,9 +779,19 @@ protected void doUpdateConletState(NotifyConletModel event,
             }
             break;
         case "openConsole":
-            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
-                var user = WebConsoleUtils.userFromSession(channel.session())
-                    .map(ConsoleUser::getName).orElse("");
+            var user = WebConsoleUtils.userFromSession(channel.session())
+                .map(ConsoleUser::getName).orElse("");
+            if (vmDef.conditionStatus("ConsoleConnected").orElse(false)
+                && vmDef.consoleUser().map(cu -> !cu.equals(user)
+                    && !perms.contains(VmDefinition.Permission.TAKE_CONSOLE))
+                    .orElse(false)) {
+                channel.respond(new DisplayNotification(
+                    resourceBundle.getString("consoleTakenNotification"),
+                    Map.of("autoClose", 5_000, "type", "Warning")));
+                return;
+            }
+            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)
+                || perms.contains(VmDefinition.Permission.TAKE_CONSOLE)) {
                 var pwQuery
                     = Event.onCompletion(new GetDisplayPassword(vmDef, user),
                         e -> openConsole(vmDef, channel, model,

From 86f6ece2648bbc514cd7fbb9a7ae8a4e54a21c78 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 21:55:24 +0100
Subject: [PATCH 35/35] Adjust auto close time.

---
 .../src/org/jdrupes/vmoperator/vmaccess/VmAccess.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 5f2d747e0..786fedf48 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -745,7 +745,7 @@ protected void doUpdateConletState(NotifyConletModel event,
                         = resourceBundle(channel.locale());
                     channel.respond(new DisplayNotification(
                         resourceBundle.getString("poolEmptyNotification"),
-                        Map.of("autoClose", 15_000, "type", "Error")));
+                        Map.of("autoClose", 10_000, "type", "Error")));
                     return;
                 }
             }