- Bulk Download All Proxmox LXC Templates via PVE Command Line
- Mounting Proxmox Raw Images in Any Linux
- Proxmox IPTables Port 8006 Redirect to Port 443
- Cloning/Restoring a Proxmox LXC Container from Backup
- Installing Certificate for Self-Hosted Unifi Network Controller
Bulk Download All Proxmox LXC Templates via PVE Command Line
3/29/2025
If you have the space and you want to bulk download all of the available Proxmox VE (ie. TurnKey LXC LinuX Containers, etc.) LXC container templates to local storage, here is a command that will bulk download them all from a Proxmox VE console.
I have downloaded these to my NAS storage called “NAS1” so substitute with “local-lvm” instead or wherever you decide to store them. As of this writing, these will take up about 46GB of storage:
# for i in `pveam available | awk '{ print $2 }'`; do pveam download NAS1 $i; done
Mounting Proxmox Raw Images in Any Linux
4/2/2025
Context/Assumption: Drive containing Proxmox VE LVMs and raw images from a thin-pool is made available to another non-Proxmox Linux system (via external drive attachment, etc.):
- Get a listing of the LVMs via
lvdisplay
. Here’s an example of a(n old) Proxmox VE drive attached to a system running Elementary OS:
root@nunya:/mnt/lvm/pve# lvdisplay
WARNING: Device for PV bIYp7D-Ifi5-3vm9-jKP2-6CCx-1l4b-j8LZd0 not found or rejected by a filter.
--- Logical volume ---
LV Path /dev/data_vg/lv01
LV Name lv01
VG Name data_vg
LV UUID akpZCx-bK2h-FaZr-66ZA-62Fo-ZIDP-NaqVEo
LV Write Access read/write
LV Creation host, time pve, 2021-12-20 00:02:35 -0600
LV Status available
# open 0
LV Size 1.00 TiB
Current LE 262144
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:2
--- Logical volume ---
LV Path /dev/elementary-vg/root
LV Name root
VG Name elementary-vg
LV UUID PRNByi-krxc-cxcm-3qcy-xrs4-BrLu-kFwni9
LV Write Access read/write
LV Creation host, time elementary, 2020-04-07 21:07:53 -0500
LV Status available
# open 1
LV Size 475.48 GiB
Current LE 121723
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:0
--- Logical volume ---
LV Path /dev/elementary-vg/swap_1
LV Name swap_1
VG Name elementary-vg
LV UUID z5Xm5c-9urf-Dib0-Bkn2-NLy3-PGZc-DzLGYp
LV Write Access read/write
LV Creation host, time elementary, 2020-04-07 21:07:53 -0500
LV Status available
# open 2
LV Size 980.00 MiB
Current LE 245
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:1
2. Mount the Proxmox VE LVM: mount /dev/<vg>/<lv> /mnt/lvm/pve/<lv>
I always create mount points in /mnt
grouped by type: /mnt/lvm
, /mnt/iso
, etc. (Yeah… “/media
“, I get it. LOL). So for the above the /mnt/lvm/pve
is just my convention and has nothing to do with Proxmox VE per se or making this “work.” It’s a mount point, period. Mount at /recovery
if you want — up to you.
# mkdir /mnt/lvm/pve/data_vg
# mount /dev/data_vg/lv01 /mount/lvm/pve/data_vg
3. Raw Proxmox VE VM and container images will now be in /mnt/lvm/pve/data_vg/images
. Mount those as loop
devices: mount -o loop /path/to/raw/disk/image /mnt/lvm/pre/<disk-ID>
. (Again my convention on the disk ID.)
# ls -lR /mnt/lvm/pve/data_vg/images
/mnt/lvm/pve/data_vg/images:
total 8
drwxr----- 2 root root 4096 Dec 20 2021 100
drwxr----- 2 root root 4096 Mar 22 2022 101
/mnt/lvm/pve/data_vg/images/100:
total 3118804
-rw-r----- 1 root root 21474836480 Apr 1 20:51 vm-100-disk-0.raw
/mnt/lvm/pve/data_vg/images/101:
total 1243244
-rw-r----- 1 root root 10737418240 Apr 1 20:51 vm-101-disk-0.raw
# mkdir /mnt/lvm/pve/data_vg/100 /mnt/lvm/pve/data_vg/101
# mount -o loop data_vg/images/100/vm-100-disk-0.raw /mnt/lvm/pve/100
# mount -o loop data_vg/images/101/vm-101-disk-0.raw /mnt/lvm/pve/101
4. In this example of raw images as part of a data
LVM thin-pool (denoted by the “<1.67t” below), I can just go after any raw image disk as a straight up LVM mount:
# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
data pve twi-aotz-- <1.67t 4.07 0.30
root pve -wi-ao---- 96.00g
swap pve -wi-ao---- 8.00g
vm-100-disk-0 pve Vwi-aotz-- 60.00g data 48.09
vm-101-disk-0 pve Vwi-aotz-- 8.00g data 8.86
vm-101-disk-1 pve Vwi-aotz-- 20.00g data 11.27
# cd /mnt/lvm/pve
# mkdir vm-100-disk-0 vm-101-disk-0 vm-101-disk-1
# mount /mnt/lvm/pve/vm-100-disk-0 /dev/pve/vm-100-disk-0
# mount /mnt/lvm/pve/vm-101-disk-0 /dev/pve/vm-101-disk-0
# mount /mnt/lvm/pve/vm-101-disk-1 /dev/pve/vm-101-disk-1
And if you wanted to mount them all at once, excluding snapshots:
# for i in `lvs | awk '/vm-/ && !/[Ss]nap/ { print $1 }'`; do mkdir /mnt/lvm/pve/data_vg/$i; mount -o loop /dev/data_vg/$i /mnt/lvm/pve/data_vg/$i; done
Or to a script to look over before executing:
for i in `lvs | awk '/vm-/ && !/[Ss]nap/ { print $1 }'`; do echo "mkdir /mnt/lvm/pve/data_vg/$i"; echo "mount -o loop /dev/data_vg/$i /mnt/lvm/pve/data_vg/$i"; done > /path/to/save/script/mount-raw.sh
HTH
Proxmox IPTables Port 8006 Redirect to Port 443
I’m not a big fan of “off” ports. They of course have their place. But when I have dedicated servers, HTTPS “belongs” on port 443. Here’s a simple iptables
redirect rule for making it “look” like Proxmox VE is running on 443 from the vantage of the browser:
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8006
I’m a fan of the iptables-save
approach in terms of making this permanent (ie. survives a reboot). Here’s an article on the iptables-save
approach.
Cloning/Restoring a Proxmox LXC Container from Backup
# pct restore 104 vzdump-lxc-103-2025_04_10-14_05_20.tar.zst --storage local-lvm
This takes the backup of Container #103 and creates a new container #104. <Poof> MAGIC.
- Change the hostname of the new container. (It will have the same hostname of the backedup container.)
- Change the IP address of the new container. (It will have the same IP address as the backedup container.)
(Unless the backedup container doesn’t exist any more.)
Installing Certificate for Self-Hosted Unifi Network Controller
I’m running MacOS as my main desktop and running my own Certificate Manager on pfSense with my own root CA.
- Import my root CA
.crt
file into Keychain Access on my Mac as alogin
certificate and set it to “Always Trusted” — so… my own sites (with my own issued certificates as my own CA) are always trusted. (Not detailing the steps for that here — Google University can handle this for you.)

- Create a server certificate in pfSense signed by my root CA for my
unifi.lan
server. Supply your own IP, FQDN, and/or hostname for your own server. (There are plenty of articles in Google for doing all this with tools likeopenssl
if not running one’s own CA.) - Export the private key
.key
file and certificate.crt
file from pfSense. scp
these files to/etc/ssl/private
on the Unifi Network Controller from where I exported them:scp Unifi_Network_Controller.* root@unifi.lan:/etc/ssl/private
- Hop into a root console on my Unifi Network Controller and create the PKCS12 file to import into the Java keystore on the controller:
# cd /etc/ssl/private
# # openssl pkcs12 -export -name unifi -out unifikey.p12 -inkey Unifi_Network_Controller.key -in Unifi_Network_Controller.crt
Enter Export Password: aircontrolenterprise
Verifying - Enter Export Password: aircontrolenterprise
(The password used is, as far as I can tell, necessary.)
- Backup the Java keystore on the Unifi Network Controller:
# cd /var/lib/unifi
# cp keystore keystore.bak
- Stop the Unifi Network Controller, import the PKCS12 key created from the private key file and the certificate file into the keystone, and restart the controller:
# systemctl stop unifi
# keytool -importkeystore -srckeystore /etc/ssl/private/unifikey.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -deststoretype PKCS12 -storepass aircontrolenterprise
Existing entry alias unifi exists, overwrite? [no]: yes
Entry for alias unifi successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
# systemctl start unifi
Badda-bing. Pulled what I needed (which was essentially creating the PKCS12 file and doing the keystone import with the proper password) from this fantastic article on Reddit.