Updates for VMs/CTs without internet access

H

hlab

New Member
Mar 26, 2023
22
1
3
I want to configure some VMs/CTs on a subnet which has no internet access.
However how can I handle updates?
Can I somehow download updates to LAN and point VM / CT to that address to look for updates? Does this work for git?

And can I extend is for proxmox itself?
 
leesteken said:
How would you update a physical machine that cannot reach the internet? It depends on the used operating system inside the VMs/CTs, and is independent of Proxmox.
For Proxmox, you can use an offline mirror that was recently developed: https://forum.proxmox.com/threads/proxmox-offline-mirror-released.115219/post-498198
Click to expand...
Thanks, I'll read through proxmox while looking for VMs/CTs.
Most of my CTs are debian templates so I'm assuming same goes from them, however packages (like frigate) are pulled from git so it maybe harder for those.
 
hlab said:
Most of my CTs are debian templates so I'm assuming same goes from them, however packages (like frigate) are pulled from git so it maybe harder for those.
Click to expand...
It is always a good idea to host EVERYTHING locally. Remember the bad old days when some simple js base package was unavailable and a lot of companies had problems with their CI pipelines because of this? And yes, you will also get problems with that. We just had them on the archive process of debian stretch from "normal" to "archive".

We're running a Debian mirror from Wheezy up, OL and CentOS Mirrors from 5 up and we're going to start a almalinux 8 mirror soon. Same goes for all docker install packages, PVE-packages and our internal package infrastructure (we do everything with deb and rpm packages, so that we can only rely on packages and do not need an active connection of any non-controlled service). Our docker base images are also locally mirrored and have your internal mirrors preset so that everything works out of the box by just replacing the FROM line (we also experienced with DNS overloading, but that resulted in other problems).
 
  • Like
Reactions: hlab
LnxBil said:
It is always a good idea to host EVERYTHING locally. Remember the bad old days when some simple js base package was unavailable and a lot of companies had problems with their CI pipelines because of this? And yes, you will also get problems with that. We just had them on the archive process of debian stretch from "normal" to "archive".

We're running a Debian mirror from Wheezy up, OL and CentOS Mirrors from 5 up and we're going to start a almalinux 8 mirror soon. Same goes for all docker install packages, PVE-packages and our internal package infrastructure (we do everything with deb and rpm packages, so that we can only rely on packages and do not need an active connection of any non-controlled service). Our docker base images are also locally mirrored and have your internal mirrors preset so that everything works out of the box by just replacing the FROM line (we also experienced with DNS overloading, but that resulted in other problems).
Click to expand...
Thanks.
Please let me know if this is doable:
setup CTs with internet access while I understand / read about hosting on premise and then change IP of CTs to restrict internet and point to local machine to pull updates?
 
What about some routing/firewalling? I for example got IoT subnet where I don't want devices to access the internet. So I blocked all incoming/outgoing connections except for a few whitelisted IPs so updates will still work.
 
Dunuin said:
What about some routing/firewalling? I for example got IoT subnet where I don't want devices to access the internet. So I blocked all incoming/outgoing connections except for a few whitelisted IPs so updates will still work.
Click to expand...

That's how I've setup right now.
one subnet for IoTs / cameras - 0 internet access, and can access only that subnet.
2nd subnet has internet access where all personal devices are.
Maybe I'll setup 3rd one which has internet access and access to 1st subnet but not 2nd one, this will run services like HomeAssistant, Frigate etc.

I was trying to see if instead of 3rd subnet, somehow I put services under subnet 1.
 
Don't you got something like a OPNsense that can route between your different subnets? But yes, a third DMZ subnet for your services is always a good idea from a security standpoint.
 
  • Like
Reactions: hlab
Dunuin said:
Don't you got something like a OPNsense that can route between your different subnets? But yes, a third DMZ subnet for your services is always a good idea from a security standpoint.
Click to expand...
yes I'm running pfSense, that's why can setup 3rd subnet if needed.
 
hlab said:
Please let me know if this is doable:
setup CTs with internet access while I understand / read about hosting on premise and then change IP of CTs to restrict internet and point to local machine to pull updates?
Click to expand...
Just provide your OS mirror on your restricted subnet and you can pull updates as you need. That's what mirrors are for.
You can also add a caching proxy (if you don't want the relatively huge mirror storage requirements) that only allows allows to connect to your mirror. I use that too.
 
LnxBil said:
Just provide your OS mirror on your restricted subnet and you can pull updates as you need. That's what mirrors are for.
You can also add a caching proxy (if you don't want the relatively huge mirror storage requirements) that only allows allows to connect to your mirror. I use that too.
Click to expand...
Ah I think I understand what you mean.
Basically create repository (mirror) and pull all OS / package related updates there.
And then machine on subnet pulls updates from that machine (similar to editing /etc/apt/source.list to remove original links and update them with in-network links)
 
hlab said:
Ah I think I understand what you mean.
Basically create repository (mirror) and pull all OS / package related updates there.
And then machine on subnet pulls updates from that machine (similar to editing /etc/apt/source.list to remove original links and update them with in-network links)
Click to expand...
Exactly. This is common practice for decades and also available for windows with WSUS.
 
  • Like
Reactions: hlab
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom