ProxMox Updating through VSAT (Vessel)

Sarlis Dimitris

Active Member
Oct 19, 2018
27
2
43
44
Good day,
I am wondering on what to open in my firewall onboard a vessel that will be equipped with 3 servers running ProxMox 6.0
Thing is that I cannot leave wide open from satellite the http protocol neither ftp.
So we are wondering if we can provide links for updating.
deb http://ftp.gr.debian.org/debian buster main contrib

deb http://ftp.gr.debian.org/debian buster-updates main contrib

# security updates
deb http://security.debian.org buster/updates main contrib

Do we need anything else?
Can i go only with http://ftp.gr.debian.org/ to read any upcoming releases?

thank you in advance
 
Hi Chris,
maybe I did not explain well my intention. I need to allow the "router" to access the update server for proxmox. At this very moment, internet to endpoints works only under a specific VLAN and under specific rules/ allowed domains.
So do i need to open a specific ftp or http domain to access updating in ProxMox? Can I add to my firewall the exemption of:
Code:
https://enterprise.proxmox.com
http://ftp.gr.debian.org/debian
http://security.debian.org
 
those should be enough to get a PVE updated
(if you want to update the firmware of your host that's probably another host - and it can be necessary to update the firmwares to keep the system stable)
 
A colleague just reminded me that you need to also allow https access to shop.maurer-it.com:443 for the subscription check
 
Hi everybody,
Already tried to open shop.maurer-it.com at any port but still no luck,
This is performed with domain name.
Is there an option to go with IP?
 
Using an IP is not really a good idea - since we might move the host at some point (not really planned - but the thing that should remain stable is shop.maurer-it.com)
currently it points to: 2a01:7e0:0:424::2 and 79.133.36.249

connection needs to be possible to port 443/tcp

What is the problem/error you're running into exactly?
 
The error message seems like there is a problem with the DNS-resolution on the PVE-host in general:
* configure a working DNS-server inside PVE
* you can verify that it works by pinging e.g. google.com

I hope this helps!
 
Inside my network I have the 192.168.108.254 gateway which allows connection to internet. Thing is that firewall is Ok.
I also added as alterntive 8.8.8.8
Still no change, I am working on it and revert
 
here you are:
Code:
search group.local
nameserver 192.168.108.254
nameserver 8.8.8.8

ping -c 4 192.168.108.254:
Code:
root@oberon1:~# ping -c 4 192.168.108.254
PING 192.168.108.254 (192.168.108.254) 56(84) bytes of data.
64 bytes from 192.168.108.254: icmp_seq=1 ttl=64 time=0.654 ms
64 bytes from 192.168.108.254: icmp_seq=2 ttl=64 time=0.515 ms
64 bytes from 192.168.108.254: icmp_seq=3 ttl=64 time=0.479 ms
64 bytes from 192.168.108.254: icmp_seq=4 ttl=64 time=0.508 ms

ping 8.8.8.8
Code:
root@oberon1:~# ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=39 time=1017 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=39 time=1051 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=39 time=1050 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=39 time=1020 ms

google:
Code:
root@oberon1:~# ping -c 4 google.com
ping: google.com: Temporary failure in name resolution
 
root@oberon1:~# ping -c 4 google.com ping: google.com: Temporary failure in name resolution
seems 192.168.0.254 does not offer dns (and/or does not have the correct policies to allow the PVE host to do DNS-resolution.

You need to setup DNS correctly

I hope this helps!
 
As we setup the firewall we have 108.254 as DNS, see below
2019-12-18 12_37_56-SIGMA Portal _ Firewall Rules - Opera.png

I do not know if the satellite has limitation or not allowance as we are through satellite internet.
 
I've also tried to update but with no luck
Code:
Virtual Environment 6.0-12
Node 'oberon1'
Show details
Logs
()
starting apt-get update
Get:1 http://security.debian.org buster/updates InRelease [3687 B]
Err:1 http://security.debian.org buster/updates InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Get:2 http://download.proxmox.com/debian/ceph-nautilus buster InRelease [3701 B]
Err:2 http://download.proxmox.com/debian/ceph-nautilus buster InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Get:3 http://ftp.gr.debian.org/debian buster InRelease [3685 B]
Err:3 http://ftp.gr.debian.org/debian buster InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Ign:4 https://enterprise.proxmox.com/debian/pve buster InRelease
Get:5 http://ftp.gr.debian.org/debian buster-updates InRelease [3693 B]
Err:5 http://ftp.gr.debian.org/debian buster-updates InRelease
  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
Err:6 https://enterprise.proxmox.com/debian/pve buster Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 212.224.123.70 443]
Reading package lists...
E: The repository 'http://security.debian.org buster/updates InRelease' is no longer signed.
E: Failed to fetch http://security.debian.org/dists/buster/updates/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: The repository 'http://download.proxmox.com/debian/ceph-nautilus buster InRelease' is no longer signed.
E: Failed to fetch http://download.proxmox.com/debian/ceph-nautilus/dists/buster/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: Failed to fetch http://ftp.gr.debian.org/debian/dists/buster/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: The repository 'http://ftp.gr.debian.org/debian buster InRelease' is no longer signed.
E: Failed to fetch http://ftp.gr.debian.org/debian/dists/buster-updates/InRelease  Clearsigned file isn't valid, got 'NOSPLIT' (does the network require authentication?)
E: The repository 'http://ftp.gr.debian.org/debian buster-updates InRelease' is no longer signed.
E: The repository 'https://enterprise.proxmox.com/debian/pve buster Release' no longer has a Release file.
TASK ERROR: command 'apt-get update' failed: exit code 100
 
Made some changes from provider with full access and now ping is ok:
Code:
PING google.com (216.58.211.110) 56(84) bytes of data.
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=1 ttl=40 time=944 ms
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=2 ttl=40 time=989 ms
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=3 ttl=40 time=932 ms
64 bytes from ams15s32-in-f14.1e100.net (216.58.211.110): icmp_seq=4 ttl=40 time=932 ms

thing is that I have error in certificate still even when i added [trusted=yes] into sources.list
 
Made some changes from provider with full access and now ping is ok:
great!

thing is that I have error in certificate still even when i added [trusted=yes] into sources.list
My guess is that the ISP wants you to use a http(s) proxy - they should provide you with the necessary settings.

Access to the enterprise repository needs to happen via https

the trusted=yes line cannot help with the error because this happens on a different level (TLS connection establishment vs. package verification)

I hope this helps!
 
thanks for your help Stoiko, i need to ask also for subscription check cause i still cannot check. Certificate error in here also error 500, any ideas?
IP did not work either