ProxMox Updating through VSAT (Vessel)

Sarlis Dimitris

Active Member
Oct 19, 2018
26
2
43
43
Good day,
I am wondering on what to open in my firewall onboard a vessel that will be equipped with 3 servers running ProxMox 6.0
Thing is that I cannot leave wide open from satellite the http protocol neither ftp.
So we are wondering if we can provide links for updating.
deb http://ftp.gr.debian.org/debian buster main contrib

deb http://ftp.gr.debian.org/debian buster-updates main contrib

# security updates
deb http://security.debian.org buster/updates main contrib

Do we need anything else?
Can i go only with http://ftp.gr.debian.org/ to read any upcoming releases?

thank you in advance
 
Hi Chris,
maybe I did not explain well my intention. I need to allow the "router" to access the update server for proxmox. At this very moment, internet to endpoints works only under a specific VLAN and under specific rules/ allowed domains.
So do i need to open a specific ftp or http domain to access updating in ProxMox? Can I add to my firewall the exemption of:
Code:
https://enterprise.proxmox.com
http://ftp.gr.debian.org/debian
http://security.debian.org
 
those should be enough to get a PVE updated
(if you want to update the firmware of your host that's probably another host - and it can be necessary to update the firmwares to keep the system stable)
 
A colleague just reminded me that you need to also allow https access to shop.maurer-it.com:443 for the subscription check
 
Hi everybody,
Already tried to open shop.maurer-it.com at any port but still no luck,
This is performed with domain name.
Is there an option to go with IP?
 
Using an IP is not really a good idea - since we might move the host at some point (not really planned - but the thing that should remain stable is shop.maurer-it.com)
currently it points to: 2a01:7e0:0:424::2 and 79.133.36.249

connection needs to be possible to port 443/tcp

What is the problem/error you're running into exactly?
 
The error message seems like there is a problem with the DNS-resolution on the PVE-host in general:
* configure a working DNS-server inside PVE
* you can verify that it works by pinging e.g. google.com

I hope this helps!
 
Inside my network I have the 192.168.108.254 gateway which allows connection to internet. Thing is that firewall is Ok.
I also added as alterntive 8.8.8.8
Still no change, I am working on it and revert
 
here you are:
Code:
search group.local
nameserver 192.168.108.254
nameserver 8.8.8.8

ping -c 4 192.168.108.254:
Code:
root@oberon1:~# ping -c 4 192.168.108.254
PING 192.168.108.254 (192.168.108.254) 56(84) bytes of data.
64 bytes from 192.168.108.254: icmp_seq=1 ttl=64 time=0.654 ms
64 bytes from 192.168.108.254: icmp_seq=2 ttl=64 time=0.515 ms
64 bytes from 192.168.108.254: icmp_seq=3 ttl=64 time=0.479 ms
64 bytes from 192.168.108.254: icmp_seq=4 ttl=64 time=0.508 ms

ping 8.8.8.8
Code:
root@oberon1:~# ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=39 time=1017 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=39 time=1051 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=39 time=1050 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=39 time=1020 ms

google:
Code:
root@oberon1:~# ping -c 4 google.com
ping: google.com: Temporary failure in name resolution
 
root@oberon1:~# ping -c 4 google.com ping: google.com: Temporary failure in name resolution
seems 192.168.0.254 does not offer dns (and/or does not have the correct policies to allow the PVE host to do DNS-resolution.

You need to setup DNS correctly

I hope this helps!
 
As we setup the firewall we have 108.254 as DNS, see below
2019-12-18 12_37_56-SIGMA Portal _ Firewall Rules - Opera.png

I do not know if the satellite has limitation or not allowance as we are through satellite internet.
 
I've also tried to update but with no luck
Code:
Virtual Environment 6.0-12
Node 'oberon1'
Show details
Logs
()
starting apt-get update
Get:1 http://security.debian.org buster/updates InRelease [3687 B]
Err:1 http://security.debian.org buster/updates InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Get:2 http://download.proxmox.com/debian/ceph-nautilus buster InRelease [3701 B]
Err:2 http://download.proxmox.com/debian/ceph-nautilus buster InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Get:3 http://ftp.gr.debian.org/debian buster InRelease [3685 B]
Err:3 http://ftp.gr.debian.org/debian buster InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Ign:4 https://enterprise.proxmox.com/debian/pve buster InRelease
Get:5 http://ftp.gr.debian.org/debian buster-updates InRelease [3693 B]
Err:5 http://ftp.gr.debian.org/debian buster-updates InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Err:6 https://enterprise.proxmox.com/debian/pve buster Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 212.224.123.70 443]
Reading package lists...
E: The repository 'http://security.debian.org buster/updates InRelease' is no longer signed.
E: Failed to fetch http://security.debian.org/dists/buster/updates/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: The repository 'http://download.proxmox.com/debian/ceph-nautilus buster InRelease' is no longer signed.
E: Failed to fetch http://download.proxmox.com/debian/ceph-nautilus/dists/buster/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: Failed to fetch http://ftp.gr.debian.org/debian/dists/buster/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: The repository 'http://ftp.gr.debian.org/debian buster InRelease' is no longer signed.
E: Failed to fetch http://ftp.gr.debian.org/debian/dists/buster-updates/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: The repository 'http://ftp.gr.debian.org/debian buster-updates InRelease' is no longer signed.
E: The repository 'https://enterprise.proxmox.com/debian/pve buster Release' no longer has a Release file.
TASK ERROR: command 'apt-get update' failed: exit code 100
 
Made some changes from provider with full access and now ping is ok:
Code:
PING google.com (216.58.211.110) 56(84) bytes of data.
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=1 ttl=40 time=944 ms
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=2 ttl=40 time=989 ms
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=3 ttl=40 time=932 ms
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=4 ttl=40 time=932 ms

thing is that I have error in certificate still even when i added [trusted=yes] into sources.list
 
Made some changes from provider with full access and now ping is ok:
great!

thing is that I have error in certificate still even when i added [trusted=yes] into sources.list
My guess is that the ISP wants you to use a http(s) proxy - they should provide you with the necessary settings.

Access to the enterprise repository needs to happen via https

the trusted=yes line cannot help with the error because this happens on a different level (TLS connection establishment vs. package verification)

I hope this helps!
 
thanks for your help Stoiko, i need to ask also for subscription check cause i still cannot check. Certificate error in here also error 500, any ideas?
IP did not work either
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!