I created a VM and installed Debian with LVM LUKS partition and booted into it with no problems. I then installed Proxmox over this as per wiki and booted into it with no problems BUT I cannot connect to the web interface. Proxmox is working and I can access the console. What am I doing wrong?
Testing Nested Proxmox on Encrypted Debian Install (Proxmox 6.4 + Debian 10.9)
- Thread starter Whitterquick
- Start date
Is the virtual pve in the same subnet? Can you ping it? What does
ip a say?
Hello ph0x,
Thanks for the tips. It is in the same subnet but seems my static IP setting didn’t work. I was able to get the correct IP from ip a and then ping and connect successfully via https.
Is anything lost by installing Proxmox this way? I was just reading this thread/post that says the regular Proxmox install takes care of a few things that installing over Debian does not. This still seems like the best way of encrypting the Proxmox VE install?
I needed to install some stuff by myself. For example the "ksmtuned", "pve-headers" and "postfix" packages.
Hello Dunuin,
What do these do? Are they still missing?
Does anyone else know of anything missing from installing over Debian as opposed to installing from the Proxmox VE image?
"ksmtuned" is doing RAM deduplication. Without it Proxmox won't be able to save RAM and "KSM Sharing" on your nodes summary will always show "0 GiB".
"pve-headers" are sometimes needed by other programs. For example if you need to compile something.
"postfix" is the SMTP server. Without it Proxmox won't be able to send mails (so no notification mails if a HDD dies, backup failed and so on).
"pve-headers" are sometimes needed by other programs. For example if you need to compile something.
"postfix" is the SMTP server. Without it Proxmox won't be able to send mails (so no notification mails if a HDD dies, backup failed and so on).
Those are some pretty big omissions. I wonder why they are left out when we do this type of install
For something that has been in the wiki for a good few versions it does seem a bit… incomplete.
I think the point is that Proxmox will run fine without it (not with every feature working of cause), so its optional and the "proxmox-ve" package only installs dependencies that are really required for basic operation.
But I agree, packages that the ProxmoxVE ISO installs that are not part of a basic Debian install should really be listed in the wiki or documentation as optional packages that are worth installing.
I also wasn't able to find such a list and maybe I'm still missing useful packages.
I only found out that ksmtuned was missing, after switching von ProxmoxVE ISO to Proxmox ontop of Debian, because I was wondering why KSM isn't working anymore. Then I googled and found out that the package "ksmtuned" is the KSM service and then I checked the installed packages and found out that it wasn't installed.
Would be really great if the staff could add such a optional package list to the wiki article.
But I agree, packages that the ProxmoxVE ISO installs that are not part of a basic Debian install should really be listed in the wiki or documentation as optional packages that are worth installing.
I also wasn't able to find such a list and maybe I'm still missing useful packages.
I only found out that ksmtuned was missing, after switching von ProxmoxVE ISO to Proxmox ontop of Debian, because I was wondering why KSM isn't working anymore. Then I googled and found out that the package "ksmtuned" is the KSM service and then I checked the installed packages and found out that it wasn't installed.
Would be really great if the staff could add such a optional package list to the wiki article.
Last edited:
Is there anything missing from the wiki guide in terms of steps to take? I followed it but did not end up with a static IP address. There were two 127.0.0.1 addresses in the hosts file and I left one of them as it shows… should I remove both? Also when setting up Debian there are both root and user passwords; do both remain after installing Proxmox over? Is it then possible to have a non-root account to manage Proxmox?
I think there were some points missing but I'm not sure if they are just optional like allowing IP forwarding to be able to use routing.
What packages did selected while installing Debian? I always remove the webserver + gui and add the ssh server. If you installed Debian with GUI you can't use /etc/network/interfaces because the network-manager will overwrite it. In that case you need to disable or uninstall the "network-manager" package.
And the proxmox package won't setup any network stuff for you. You need to create your own config in /etc/network/interfaces. Like this:
nano /etc/network/interfaces
Code:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.0.100/24
gateway 192.168.0.1
bridge-ports eth0
bridge-stp off
bridge-fd 0And you will need to add a DNS server...
nano /etc/resolv.conf...and add a line like "nameserver 192.168.0.1".
You only need one entry like this: "127.0.0.1 localhost.localdomain localhost"
Yes.
Yes but that is quite useless. If that non-root account got the rights to use sudo to run any command as root that is not more secure than just using the root user. And you won't be able to completely deactivate the root user because some options in the Proxmox WebGUI can only be changed if logged in as root. Another user with root privileges isn't enough.
Last edited:
Just using root but adding more security would be more usefull. Like installing fail2ban to prevent bruteforce attacks, using two factor authentification for the Webui and setting up a RSA key for root and forbid SSH logins using passwords. And you could setup a VPN and create a DMZ for isolation so nobody gets access to management features in the first place.
That sounds like they missed a ton of stuff, so it’s not really a step by step guide at all. I installed Debian without GNOME so it goes straight to the command line, is that what you mean by graphical install? Or do you mean the option in the menu at the start of the installer?
Does that networking config need to be created regardless of how Debian is installed?
Amazing ideas thanks. Do you have them all implemented? What app do you use for RSA?
I've got VPN, DMZs, SSH login only using RSA keys allowed (you don't need a app to create use RSA keys fpr authentification. Its all build in into linux. For Windows you can use puttygen to create a RSA key and use putty to login using that key). Fail2ban I only use inside VMs because my management interfaces are isolated and not accessable from the internet so there is no need to set it up. Same for 2FA.
That is what I wanted to do, no access to the server from the internet just local, but still able to update and stuff. It doesn’t seem all that straightforward. Where can I find out how to do the RSA thing?
Here is how to do it on linux: https://linuxize.com/post/how-to-set-up-ssh-keys-on-debian-10/
If you want to use Windows:
1.) get puttygen.exe
2.) use puttygen to create a 4096bit RSA private public key pair. If you want more security you can also add a optional passphrase so the key file is useless without that passphrase. By default the private key will be in ppk format that only works with putty. So you might want to export a OpenSSH2 readable private key too.
3.) Store your private keys at a secure place and make backups of it
4.) download and install putty (MSI for installation or just the putty.exe if you don't want to install it)
5.) Use putty to connect to your server as your unprivileged user using password
6.) switch to root user:
sudo su -7.) Create a file to store the public key for your root user:
mkdir /root/.sshnano /root/.ssh/authorized_keysPaste the content of your private key here (right click to paste). Make sure its all in one line. Save with CTRL+X.
chmod 0600 /root/.ssh/authorized_keys8.) reboot server and try to login as root using putty. You will need to tell putty where your private key is stored (Connection -> SSH -> Auth -> Private keyfile for authentification).
9.) if that works you can disable SSH logins using passwords:
nano /etc/ssh/sshd_configChange "#PasswordAuthentication yes" to "PasswordAuthentication no", save and reboot
Last edited:
Thanks for the instructions, I will give that a try for sure once I have everything setup!
Is it possible to give that user account access to a particular folder, that can be seen when sftp’ing in from another computer? If I sftp into the Proxmox host using the user account it’s blank with no files/folders. If I use the root account it doesn’t work…
If you use apps like WinSCP that use ssh for file transfers you need to tell that program to use your private RSA key too.Then root will work.