[SOLVED] New PVE install on encrypted debian

[esprox]

Hi, I am about to repurpose an old computer as a NAS/Homeserver and wanted to try Proxmox for this.
Since I want the system partition to be encrypted, I checked this guide, which basically says to setup Debian encrypted and then install Proxmox VE according to this wiki entry.
Everything went fine so far, I followed all recommendations in the Debian installer and got the LVM setup where a small partition is unencrypted so I can boot grub and then decrypt the system partition to boot into. This worked fine and I was able to boot and log in multiple times. I did not install a Desktop.

Installing the pve kernel and rebooting worked fine, after that I installed proxmox-ve postfix open-iscsi chrony and removed the Debian Kernel and the os-prober. I was able to reach the proxmox webinterface from another computer and log in as well as sshing into the debian. I did not yet create the linux bridge mentioned in the wiki entry.

I then tried to reboot the system, but I can't get to login anymore.
After the GRUB screen, I get a short

Booting `Proxmox VE GNU/Linux'

Loading Linux 6.8.12-1-pve ...
Loading initial ramdisk ...

Which then disappears and brings me to the cryptsetup.
I still get to enter the sda5_crypt and get

cryptsetup: sda5_crypt: set up successfully
/dev/mapper/exprox--vg-root: clean, x/y files, a/b blocks

where abxy are actual numbers. Then the screen disappears shortly as it tries to open a new shell but goes back to the cryptsetup text with a blinking underscore, but doesn't add text I type. When trying to open other shells with Ctrl + Super + Fx, it opens one but there's the flashing underscore again instead of asking me for login data.

The computer is not listed in the router's connected devices.

I'd be glad for any hints what went wrong. I don't know the specifics of cryptsetup and how it may interfere with the new kernel.

Edit: I'm able to mount the cryptvolume with a debian live recovery system and chroot into my installation. update-initram, update-grub and reinstalling the pve kernel were all successful but didn't help with my problem after rebooting into the disk system again.

 

[esprox]

It seems like my post disappeared this night and reappeared some time today, is that normal?

 

[esi_y]

It seems like my post disappeared this night and reappeared some time today, is that normal?

Unfortunately what happens on this forum for any new account is to get auto-spam-filtered till someone manually approves it in the morning. This happens especially when your posts are very verbose. They you basically have to bump it like this.

Since I want the system partition to be encrypted, I checked this guide, which basically says to setup Debian encrypted and then install Proxmox VE according to this wiki entry.

That's a massive guide with bell and whistles, it does not say to setup on LUKS/LVM by a regular installer, but LIVE boot Debian, then copies over the installation. How exactly did you install your Debian on LUKS/LVM?

Everything went fine so far, I followed all recommendations in the Debian installer and got the LVM setup where a small partition is unencrypted so I can boot grub and then decrypt the system partition to boot into. This worked fine and I was able to boot and log in multiple times. I did not install a Desktop.

Did you use regular Debian installer after all?

 

[esprox]

Unfortunately what happens on this forum for any new account is to get auto-spam-filtered till someone manually approves it in the morning. This happens especially when your posts are very verbose. They you basically have to bump it like this.

Thanks for the explanation!

That's a massive guide with bell and whistles, it does not say to setup on LUKS/LVM by a regular installer, but LIVE boot Debian, then copies over the installation. How exactly did you install your Debian on LUKS/LVM?

It's mostly for adding encryption to an existing installation. The instruction for a new one is rather short (hardly a guide for my case, admittedly). I disconnected all drives except the ssd I wanted to install on before booting into the installer and in the partitioning step I choose the guided encrypted way, I don't have the exact name remembered, and instructed it to use the whole drive, removing all old partitions. (it actually erased the disk before so it took a while)

How do I add encryption during Proxmox installation?​

This tutorial deals with encryption of an existing installation. If you are starting fresh, my recommendation would be to install Debian with full disk encryption and then add Proxmox to it. This is also an advanced method, but is at least documented officially. You can also just install Proxmox unencrypted and then use this guide. It's a bit cumbersome, but should work.

Did you use regular Debian installer after all?

Yes, I've put the debian-12.7.0-amd64-DVD-1.iso on a USB drive and went from there with the guided graphical installer. I can still use the stick to mount the cryptvolume and chroot into the system that's not booting otherwise.

 

[esi_y]

back to the cryptsetup text with a blinking underscore, but doesn't add text I type

Edit: I'm able to mount the cryptvolume with a debian live recovery system and chroot into my installation. update-initram, update-grub and reinstalling the pve kernel were all successful but didn't help with my problem after rebooting into the disk system again.

Is it possible this is a display issue, actually? Can you boot with nomodeset added as kernel cmdline (the actual install you already have, not the installer):
https://pve.proxmox.com/pve-docs/chapter-pve-installation.html#nomodeset_kernel_param

 

[esprox]

Is it possible this is a display issue, actually? Can you boot with nomodeset added as kernel cmdline (the actual install you already have, not the installer):
https://pve.proxmox.com/pve-docs/chapter-pve-installation.html#nomodeset_kernel_param

Thank you for the suggestion! I set the nomodeset parameter and the behaviour changed a little in that the screen dis- and reappearing doesn't happen anymore but I simply stay at the blinking underscore after I get the unlock success message.

Edit: Booting the recovery mode reveals repeating error messages with dhclient, I assume the static IP and my router's dhcp are a bad combination, I'll try to boot the Debian live image and remove the changes in /etc/hosts to see if it gets up.

 

[esi_y]

Edit: Booting the recovery mode reveals repeating error messages with dhclient, I assume the static IP and my router's dhcp are a bad combination, I'll try to boot the Debian live image and remove the changes in /etc/hosts to see if it gets up.

I doubt that has anything to do with "no more screen output", the /etc/hosts is more necessary for PVE to work properly, even if you had e.g. IP conflict (that would be statically in /etc/network/interfaces) it would still boot, just experience network issues. So you are saying there's anything logged for those boots that provide no more outputs after cryptsetup unlock? Can you post such log here?

 

[esprox]

I doubt that has anything to do with "no more screen output", the /etc/hosts is more necessary for PVE to work properly, even if you had e.g. IP conflict (that would be statically in /etc/network/interfaces) it would still boot, just experience network issues. So you are saying there's anything logged for those boots that provide no more outputs after cryptsetup unlock? Can you post such log here?

Right, that didn't work.

Emergency actually lets me log into root ("Give root password for maintenance"), it was just buried in error messages so I missed it last time. They repeatedly say, after the timestamp:

audit: type1400 audit(1725304876.774:57): apparmor="DENIED" operations="create" class="net" info="failed type and protocol match" error=-13 profiles="{,usr/}sbin/dhclient" pid=645 comm="dhclient" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
(I hope I made no typos as I can't copy from there)


Here's a photo from the screen before it gets flooded with error messages - sorry for the quality, I don't have much time to take the pic. https://wolki.lapete.de/s/28f2bS4rxCfaXzf

The computer is connected to my router, and systemctl status sshd says it's up, but I can't reach it on port 22. I can ping it though.

I can now use journalctl but I'm not quite sure what I'm looking for. For the error, I followed this proposed solution, but that leads to an error in starting apparmor.service so I probbaly put it at the wrong place.

 

[esi_y]

Right, that didn't work.

Ok, just to make it clear because previously you provided info on LIVE booting Debian and chroot, now rescue (I think grub item is "recovery" confusingly) boot and logs and then referring to SSH. But I have trouble making sense of all these because e.g. there's no way sshd is launched (other than by you manually) by systemd in rescue target. Also the logs you are accessing might be from the past boot or you are accessing other logs than you had thought (e.g. on LIVE boot).

Emergency actually lets me log into root ("Give root password for maintenance"), it was just buried in error messages so I missed it last time. They repeatedly say, after the timestamp:

audit: type1400 audit(1725304876.774:57): apparmor="DENIED" operations="create" class="net" info="failed type and protocol match" error=-13 profiles="{,usr/}sbin/dhclient" pid=645 comm="dhclient" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none
(I hope I made no typos as I can't copy from there)
Here's a photo from the screen before it gets flooded with error messages - sorry for the quality, I don't have much time to take the pic. https://wolki.lapete.de/s/28f2bS4rxCfaXzf

Actually I would want to see those further error messages.

The computer is connected to my router, and systemctl status sshd says it's up, but I can't reach it on port 22. I can ping it though.

What exactly does it say? Up is not what it says, it would say e.g. enabled and inactive on rescue boot, typically.

I can now use journalctl but I'm not quite sure what I'm looking for.

I would start with --list-boots and check the one where you were attempting to boot normally, then post everything from it. You can totally e.g. journalctl -b -1 > dump-this-onto-usb-drive.log

For the error, I followed this proposed solution, but that leads to an error in starting apparmor.service so I probbaly put it at the wrong place.

I am lost yet again. Can't quite infer what the "solution" was, but it would be good to know what error outputs are generated by what inputs.

 

[esprox]

Found the culprit:

I did not yet create the linux bridge mentioned in the wiki entry.

I figured I could do that after reboot, but it's necessary to boot. Configured the bridge, system is working now and I can finally test proxmox.

I am lost yet again. Can't quite infer what the "solution" was, but it would be good to know what error outputs are generated by what inputs.

My bad, sorry - I missed the link which I now fixed.
As stated above, the error was the missing bridge! And just to clarify, yes, I tried to start the sshd in the proxmox-rescue mode, it was shown Active: active (running) but not accessible from another computer. I did not properly distuinigish between proxmox-rescueand debian-repair, causing further confusion, sorry for that.

Thank you for all your input!

 

[esi_y]

Found the culprit:

I figured I could do that after reboot, but it's necessary to boot. Configured the bridge, system is working now and I can finally test proxmox.

Actually you get my head scratching from this once more. Because I literally quickly dumped a virtualised fresh PVE on a fresh EFI (because of another troubleshooting), while at that on top of LUKS from Debian vanilla install. No network config, I basically even left it on DHCP and just fixed up /etc/hosts so that pve-cluster is happy. So no bridge. And yeah I got those funny apparmour denies on the dhclient, but it booted up just fine.

My bad, sorry - I missed the link which I now fixed.

Ironically, this stellar forum solution thinks anyone editing posts and adding links is a spammer so instead it disappear altogether.

As stated above, the error was the missing bridge!

I don't believe you. There's something else wrong, maybe you were booting up and just had no network, but you should have had normal boot messages after the LUKS unlock. Very very weird.

And just to clarify, yes, I tried to start the sshd in the proxmox-rescue mode, it was shown Active: active (running) but not accessible from another computer. I did not properly distuinigish between proxmox-rescueand debian-repair, causing further confusion, sorry for that.

No worries, it's just from the other side here, a bit frustrating when something is ambiguous and it leaves one guessing of the possible options. At the same time, as with any new posts, some people just blindly follow any random stackoverflow and so e.g. listing journal entries on a live boot and analysing it like it was the host boot log. Seen it all here. No hard feelings.

Thank you for all your input!

You're welcome, I just still wonder what this thing was.

EDIT: If there's any good takeway from this perhaps is not to have 'quiet' on the GRUB_CMDLINE_LINUX_DEFAULT. This is for both Debian install or regular ISO install.

 

[guruevi]

Try adding rootdelay to your kernel options. It may work once or twice but the delay has helped me in weird config situations.

Do you have a GPU or multiple GPU? I typically see this behavior with the new Debian stuff that has the enhanced systemd video modes and the UEFI configs are ignored.