Proxmox part 1: Installation and Setup
This post will detail how to install proxmox and perform the initial configuration. This is an abbreviated supplement to the main Proxmox install guide
Hardware requirements
- x86_64 CPU architecture (Intel and/or AMD 64 bit)
- VT-x (hardware acceleration for virtualization)
- VT-d or “directed IO”, for PCI passthrough support (optional)
- Wired ethernet for your LAN/WAN
Download Proxmox VE .iso image
Download the latest Proxmox VE release here
Write the image to a USB drive with dd
or a tool like
UNetbootin
Install
Boot the USB drive installer in the target machine.
Choose Install Proxmox VE (Graphical)
Click the Target Options
button, and change the Filesystem
:
- If you have one drive, choose
zfs (RAID0)
- If you have two drives available, choose
zfs RAID1
mirror - If you have three or more, choose
zfs RAIDZ-1
.
Use this ZFS size calculator to play around with various configurations.
- Select your Country, Time zone, and Keyboard layout.
- Choose a root password
- Enter your real email address, so that you receive notifications. (TODO: Requires setup of SMTP server later)
-
Choose the primary / management network interface (NIC)
-
Choose the fully qualified domain (host) name
-
Set a static IP address (and reserve it with your LAN DHCP server, using the MAC address).
-
Enter the upstream LAN gateway IP address.
-
Enter the upstream LAN DNS server IP address.
-
Finish the installation
-
Reboot
Login to the proxmox dashboard
- Once the machine has rebooted, you will see the URL (and IP address) to access the dashboard printed on the console.
- Load the URL in your web browser, login with the username
root
and the password you chose during installation.
Setup SSH keys and secure properly
SSH is enabled by default, and you can login with the username root
and the password is the password you chose during install. Because
passwords are less secure than SSH keys, that’s the next step: to
install your SSH key, and disable password authentication.
Create an SSH host entry in your workstation’s $HOME/.ssh/config
file:
Host proxmox
Hostname 192.168.X.X
User root
(Change the Hostname 192.168.X.X
to be the IP address of your Proxmox virtual machine.)
If you have not created an SSH identity on this workstation, you will need to
run ssh-keygen
.
- From your workstation, run
ssh-copy-id proxmox
, which will ask you to confirm the ssh key fingerprint, and for your remote password (chosen during install) to login to the Proxmox server via SSH. It will copy your SSH key to the server’sauthorized_keys
file, which will allow all future logins to be by key based authentication, instead of by password. - SSH to the Proxmox host, run
ssh proxmox
. Ensure that no password is required (except perhaps for unlocking your key file). You will now be in the root account of Proxmox, be careful! - You need to edit the
/etc/ssh/sshd_config
file. The text editorsnano
andvi
are installed by default, or you can install other editors, for exampleapt install emacs-nox
. - Disable password authentication - search for the line that says
PasswordAuthentication yes
, which will be commented out with#
. Remove the#
to un-comment the line, and change theyes
to ano
. - Save
/etc/ssh/sshd_config
and close the editor. - Restart ssh, run:
systemctl restart sshd
- Exit the SSH session, and test logging in and out again still works, using your SSH key.
- To test that
PasswordAuthentication
is really turned off, you can attempt to SSH again, with a bogus username, one that you know does not really exist:
$ ssh hunter1@proxmox-k3s-1
hunter1@192.168.122.177: Permission denied (publickey).
The attempt should immediately fail and say Permission denied (publickey)
, and if it
also does not ask you for a password, then you have successfully turned off
password authentication.
Disable Enterprise features and enable Community repository (optional)
By default, Proxmox expects that you are an enterprise, and that you have an enterprise license for Proxmox. If you do, skip this section. However, you may also use the Proxmox community version, without a license (and it is the same .iso image installer and method for both versions.) To switch between these versions, you must use different apt package repositories. If you wish to use Proxmox exclusively with the Community, non-enterprise version, follow the rest of this section.
- You will see a warning message
No valid subscription
, which will nag you on each login unless you purchase an enterprise edition of Proxmox. ClickOK
to freely use the community version. - On the left-hand side of the screen, find the
Server View
list, click the Proxmox host in the list. - Find the
Updates
andRepositories
screen on the Node details screen. - Find the
pve-enterprise
repository in the list, and click it. - Click the
Disable
button at the top of the list. - You will see a message that says
No Proxmox VE repository is enabled.
- Click
Add
, it will nag you about the license again, just clickOK
. - Select
No-Subscription
in the Repository drop-down list, clickAdd
. - You should now expect to to see this warning message:
The no-subscription repository is not recommended for production use
.
Setup Firewall
By default the proxmox instance has an open firewall, but this can be made more
secure to only accept connections from specific sources, for example to lock
down to only being accessed from your workstation. This is particularly
important to do if you chose to use the bridge
network selection, in
virt-manager
when you created the VM.
- In the
Server View
list, click the line that saysDatacenter
. - On the datacenter screen, find the
Firewall
settings. - Click the
Add
button to add firewall rules. - There are default anti-lockout rules for port 22 and 8006, but only acessible from the same subnet. You should create your own rules for these ports so that you don’t lock yourself out.
The firewall is turned off by default. To enable the firewall, find the Firewall
Options
submenu page, on the new screen double-click Firewall
(value No
)
at the top of the list. In the popup window, checkmark the box to enable the
firewall, then click OK
. (The Firewall
value should now show Yes
).
You can discuss this blog on Matrix (Element): #blog-rymcg-tech:enigmacurry.com
This blog is copyright EnigmaCurry and dual-licensed CC-BY-SA and MIT. The source is on github: enigmacurry/blog.rymcg.tech and PRs are welcome. ❤️