Recipes


Bulk Download All Proxmox LXC Templates via PVE Command Line

3/29/2025

If you have the space and you want to bulk download all of the available Proxmox VE (ie. TurnKey LXC LinuX Containers, etc.) LXC container templates to local storage, here is a command that will bulk download them all from a Proxmox VE console.

I have downloaded these to my NAS storage called “NAS1” so substitute with “local-lvm” instead or wherever you decide to store them. As of this writing, these will take up about 46GB of storage:

# for i in `pveam available | awk '{ print $2 }'`; do pveam download NAS1 $i; done

Mounting Proxmox Raw Images in Any Linux

4/2/2025

Context/Assumption: Drive containing Proxmox VE LVMs and raw images from a thin-pool is made available to another non-Proxmox Linux system (via external drive attachment, etc.):

  1. Get a listing of the LVMs via lvdisplay. Here’s an example of a(n old) Proxmox VE drive attached to a system running Elementary OS:
root@nunya:/mnt/lvm/pve# lvdisplay
  WARNING: Device for PV bIYp7D-Ifi5-3vm9-jKP2-6CCx-1l4b-j8LZd0 not found or rejected by a filter.
  --- Logical volume ---
  LV Path                /dev/data_vg/lv01
  LV Name                lv01
  VG Name                data_vg
  LV UUID                akpZCx-bK2h-FaZr-66ZA-62Fo-ZIDP-NaqVEo
  LV Write Access        read/write
  LV Creation host, time pve, 2021-12-20 00:02:35 -0600
  LV Status              available
  # open                 0
  LV Size                1.00 TiB
  Current LE             262144
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2
   
  --- Logical volume ---
  LV Path                /dev/elementary-vg/root
  LV Name                root
  VG Name                elementary-vg
  LV UUID                PRNByi-krxc-cxcm-3qcy-xrs4-BrLu-kFwni9
  LV Write Access        read/write
  LV Creation host, time elementary, 2020-04-07 21:07:53 -0500
  LV Status              available
  # open                 1
  LV Size                475.48 GiB
  Current LE             121723
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:0
   
  --- Logical volume ---
  LV Path                /dev/elementary-vg/swap_1
  LV Name                swap_1
  VG Name                elementary-vg
  LV UUID                z5Xm5c-9urf-Dib0-Bkn2-NLy3-PGZc-DzLGYp
  LV Write Access        read/write
  LV Creation host, time elementary, 2020-04-07 21:07:53 -0500
  LV Status              available
  # open                 2
  LV Size                980.00 MiB
  Current LE             245
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:1

2. Mount the Proxmox VE LVM: mount /dev/<vg>/<lv> /mnt/lvm/pve/<lv>

I always create mount points in /mnt grouped by type: /mnt/lvm, /mnt/iso, etc. (Yeah… “/media“, I get it. LOL). So for the above the /mnt/lvm/pve is just my convention and has nothing to do with Proxmox VE per se or making this “work.” It’s a mount point, period. Mount at /recovery if you want — up to you.

# mkdir /mnt/lvm/pve/data_vg
# mount /dev/data_vg/lv01 /mount/lvm/pve/data_vg

3. Raw Proxmox VE VM and container images will now be in /mnt/lvm/pve/data_vg/images. Mount those as loop devices: mount -o loop /path/to/raw/disk/image /mnt/lvm/pre/<disk-ID>. (Again my convention on the disk ID.)

# ls -lR /mnt/lvm/pve/data_vg/images
/mnt/lvm/pve/data_vg/images:
total 8
drwxr----- 2 root root 4096 Dec 20  2021 100
drwxr----- 2 root root 4096 Mar 22  2022 101

/mnt/lvm/pve/data_vg/images/100:
total 3118804
-rw-r----- 1 root root 21474836480 Apr  1 20:51 vm-100-disk-0.raw

/mnt/lvm/pve/data_vg/images/101:
total 1243244
-rw-r----- 1 root root 10737418240 Apr  1 20:51 vm-101-disk-0.raw
# mkdir /mnt/lvm/pve/data_vg/100 /mnt/lvm/pve/data_vg/101
# mount -o loop data_vg/images/100/vm-100-disk-0.raw /mnt/lvm/pve/100
# mount -o loop data_vg/images/101/vm-101-disk-0.raw /mnt/lvm/pve/101

4. In this example of raw images as part of a data LVM thin-pool (denoted by the “<1.67t” below), I can just go after any raw image disk as a straight up LVM mount:

# lvs
  LV                                     VG  Attr       LSize  Pool Origin        Data%  Meta%  Move Log Cpy%Sync Convert
  data                                   pve twi-aotz-- <1.67t                    4.07   0.30                            
  root                                   pve -wi-ao---- 96.00g                                                           
  swap                                   pve -wi-ao----  8.00g                                                           
  vm-100-disk-0                          pve Vwi-aotz-- 60.00g data               48.09                                  
  vm-101-disk-0                          pve Vwi-aotz--  8.00g data               8.86                                   
  vm-101-disk-1                          pve Vwi-aotz-- 20.00g data               11.27                                  
# cd /mnt/lvm/pve
# mkdir vm-100-disk-0 vm-101-disk-0 vm-101-disk-1
# mount /mnt/lvm/pve/vm-100-disk-0 /dev/pve/vm-100-disk-0
# mount /mnt/lvm/pve/vm-101-disk-0 /dev/pve/vm-101-disk-0
# mount /mnt/lvm/pve/vm-101-disk-1 /dev/pve/vm-101-disk-1

And if you wanted to mount them all at once, excluding snapshots:

# for i in `lvs | awk '/vm-/ && !/[Ss]nap/ { print $1 }'`; do mkdir /mnt/lvm/pve/data_vg/$i; mount -o loop /dev/data_vg/$i /mnt/lvm/pve/data_vg/$i; done

Or to a script to look over before executing:

for i in `lvs | awk '/vm-/ && !/[Ss]nap/ { print $1 }'`; do echo "mkdir /mnt/lvm/pve/data_vg/$i"; echo "mount -o loop /dev/data_vg/$i /mnt/lvm/pve/data_vg/$i"; done > /path/to/save/script/mount-raw.sh

HTH


Proxmox IPTables Port 8006 Redirect to Port 443

I’m not a big fan of “off” ports. They of course have their place. But when I have dedicated servers, HTTPS “belongs” on port 443. Here’s a simple iptables redirect rule for making it “look” like Proxmox VE is running on 443 from the vantage of the browser:

# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8006

I’m a fan of the iptables-save approach in terms of making this permanent (ie. survives a reboot). Here’s an article on the iptables-save approach.


Cloning/Restoring a Proxmox LXC Container from Backup

# pct restore 104 vzdump-lxc-103-2025_04_10-14_05_20.tar.zst --storage local-lvm

This takes the backup of Container #103 and creates a new container #104. <Poof> MAGIC.

  1. Change the hostname of the new container. (It will have the same hostname of the backedup container.)
  2. Change the IP address of the new container. (It will have the same IP address as the backedup container.)

(Unless the backedup container doesn’t exist any more.)


Installing Certificate for Self-Hosted Unifi Network Controller

I’m running MacOS as my main desktop and running my own Certificate Manager on pfSense with my own root CA.

  1. Import my root CA .crt file into Keychain Access on my Mac as a login certificate and set it to “Always Trusted” — so… my own sites (with my own issued certificates as my own CA) are always trusted. (Not detailing the steps for that here — Google University can handle this for you.)
  1. Create a server certificate in pfSense signed by my root CA for my unifi.lan server. Supply your own IP, FQDN, and/or hostname for your own server. (There are plenty of articles in Google for doing all this with tools like openssl if not running one’s own CA.)
  2. Export the private key .key file and certificate .crt file from pfSense.
  3. scp these files to /etc/ssl/private on the Unifi Network Controller from where I exported them: scp Unifi_Network_Controller.* root@unifi.lan:/etc/ssl/private
  4. Hop into a root console on my Unifi Network Controller and create the PKCS12 file to import into the Java keystore on the controller:
# cd /etc/ssl/private
# # openssl pkcs12 -export -name unifi -out unifikey.p12 -inkey Unifi_Network_Controller.key -in Unifi_Network_Controller.crt
Enter Export Password: aircontrolenterprise
Verifying - Enter Export Password: aircontrolenterprise

(The password used is, as far as I can tell, necessary.)

  1. Backup the Java keystore on the Unifi Network Controller:
# cd /var/lib/unifi
# cp keystore keystore.bak
  1. Stop the Unifi Network Controller, import the PKCS12 key created from the private key file and the certificate file into the keystone, and restart the controller:
# systemctl stop unifi
# keytool -importkeystore -srckeystore /etc/ssl/private/unifikey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -deststoretype PKCS12 -storepass aircontrolenterprise
Existing entry alias unifi exists, overwrite? [no]:  yes
Entry for alias unifi successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
# systemctl start unifi

Badda-bing. Pulled what I needed (which was essentially creating the PKCS12 file and doing the keystone import with the proper password) from this fantastic article on Reddit.