Skip to content

Deployment Overview of Proxmox VE on Server

Prerequisites and Basic Requirements

The deployment requires a Debian-based operating system. The following specific distributions and releases are supported: - Debian 11 (Bullseye) - Debian 12 (Bookworm) - Debian 13 (Trixie)

The server must have root privileges to execute installation commands and modify system configurations. The system hostname is configured to follow the pattern prefix followed by the server_id and the zone domain (e.g., prefix123.example.com).

The following network ports and services are utilized: - Port 8006: Proxmox VE web interface (accessed via HTTPS proxy). - Port 80 and 443: Nginx proxy for SSL termination and traffic routing. - Port 123: NTP synchronization via Chrony (on Debian 12).

File and Directory Structure

Configuration files and data are organized in the following locations:

  • /etc/apt/sources.list.d/pve-install-repo.list: Repository definition for Proxmox VE packages.
  • /etc/apt/trusted.gpg.d/proxmox-release-*.gpg: GPG keys for the Proxmox repository, versioned by Debian release.
  • /etc/hosts: Updated to include the server's IP address and the service domain name.
  • /root/nginx/: Directory containing the Docker Compose configuration for the proxy.
  • /root/nginx/compose.yml: Docker Compose file defining the Nginx and Certbot services.
  • /data/nginx/user_conf.d/: Directory containing custom Nginx configuration files.
  • /data/nginx/user_conf.d/prefixserver_id.hostkey.in.conf: Specific configuration file for the Proxmox proxy pass.
  • /data/nginx/nginx-certbot.env: Environment file for Nginx Certbot configuration.
  • /etc/letsencrypt: Volume mount point for SSL certificates managed by the Nginx container.

Application Installation Process

The Proxmox VE installation is performed using the apt package manager. The process involves adding the official Proxmox repository and installing the core packages.

  1. Repository Configuration: The Proxmox VE repository is added to the system with the following source line: 

    deb http://download.proxmox.com/debian/pve <debian_release> pve-no-subscription
    The corresponding GPG key is downloaded and placed in /etc/apt/trusted.gpg.d/.

  2. Package Installation: The following packages are installed to set up the hypervisor and required utilities:

    • proxmox-ve: The main Proxmox VE package.
    • postfix: Mail transfer agent.
    • open-iscsi: iSCSI initiator support.
    • debconf-utils: Debconf utility for non-interactive configuration.
    • isc-dhcp-client: DHCP client.

  3. Kernel Management: Depending on the Debian release, specific kernels are installed and the default Debian kernels are removed:

    • Debian 11: Installs pve-kernel-5.15 and removes linux-image-amd64 and linux-image-5.10*.
    • Debian 12: Installs proxmox-default-kernel and removes linux-image-amd64 and linux-image-6.1*.
    • Debian 13: Installs proxmox-default-kernel and removes linux-image-amd64 and linux-image-6.12*.

  4. System Updates: The grub2 bootloader is updated using update-grub, and the os-prober package is removed to prevent boot menu conflicts.

Access Rights and Security

Security configurations include the following measures: - Firewall: The Docker service configuration includes firewalld.service in the After directive, indicating firewall integration. - Repository Security: The Proxmox enterprise repository file (pve-enterprise.list or pve-enterprise.sources) is commented out to prevent unauthorized updates from the enterprise channel. - User Configuration: The Nginx directory /root/nginx is owned by root with permissions 0755. - Docker Security: The Docker service is configured with KillMode=process to ensure only the Docker process is terminated, not all processes in the cgroup. The OOMScoreAdjust is set to -500 to prioritize the Docker daemon.

Docker Containers and Their Deployment

Docker is installed and configured to run the Nginx proxy and Certbot services.

  • Docker Service: On Debian 13 (Trixie), the default docker.service is replaced with a custom template located at /lib/systemd/system/docker.service. This service is configured to use containerd and includes specific resource limits and restart policies.

  • Container Deployment: The proxy stack is deployed using Docker Compose. The configuration file is located at /root/nginx/compose.yml. The deployment command executed is: 

    docker compose up -d
    This command is run from the /root/nginx directory.

  • Container Configuration: The compose.yml defines a single service named nginx using the image jonasal/nginx-certbot:latest.

  • Restart Policy: unless-stopped.
  • Network Mode: host.
  • Volumes:
    • nginx_secrets (external) mounted to /etc/letsencrypt.
    • /data/nginx/user_conf.d mounted to /etc/nginx/user_conf.d.
  • Environment:
    • CERTBOT_EMAIL is set to [email protected].
    • Additional environment variables are loaded from /data/nginx/nginx-certbot.env.

Proxy Servers

An Nginx proxy is deployed to handle SSL termination and forward traffic to the Proxmox VE web interface.

  • Proxy Configuration: A custom Nginx configuration file is created at /data/nginx/user_conf.d/prefixserver_id.hostkey.in.conf. The configuration includes a location / block that forwards traffic to the Proxmox service: 

    location / {
    proxy_pass https://prefixserver_id.hostkey.in:8006;
}
    Any existing proxy_pass lines in this file are removed before adding the new configuration.

  • SSL and Certbot: The jonasal/nginx-certbot container automatically manages SSL certificates via Let's Encrypt. Certificates are stored in the nginx_secrets volume mounted at /etc/letsencrypt.

Starting, Stopping, and Updating

Service management is handled via systemctl for system services and docker compose for containerized applications.

  • Docker Service:
  • To restart Docker (specifically required after configuration changes on Debian 13): 
    systemctl daemon-reload
systemctl restart docker

  • The Docker service is configured to restart automatically (Restart=always).

  • Nginx Proxy Stack:

  • To start or update the proxy containers: 

    docker compose up -d
    This command is executed from the /root/nginx directory.

  • Proxmox VE Service: The Proxmox VE service is managed as a standard system service. After installation and kernel updates, a system reboot is required to activate the new kernel and services: 

    reboot

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×