User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
computing:proxmux [2023/06/18 18:28] oemb1905computing:proxmux [2023/12/23 22:09] oemb1905
Line 19: Line 19:
   vzdump <vmID>   vzdump <vmID>
 +  vzdump <vmID> --dumpdir /mnt/backups/machines/pve-images/<vmname>
-This will create a VM in .vma format. +This will create a VM in .vma format. Then, you can extract the vma to a raw image as follows: 
 +  vma extract /var/lib/vz/dump/vzdump-qemu-101-2023_06_18-12_17_40.vma /mnt/backups/vma-extract 
 +Optionallly, you can use the python tool [[|]]. I don't see any value in using this, however, as it is much slower than the native tool and is also just in raw format. Example syntax is: 
 +  python3 vzdump-qemu-101-2023_06_18-12_17_40.vma /mnt/backups/vma 
 +In order to see where the virtual machine's zdevs are, run the following: 
 +  zfs list 
 +To delete one (be careful), use the following 
 +  zfs destroy pool/dataset 
 +I've migrated my Windows VM here for testing to avoid cumbersome EFI/TPM setup on virt-manager. Here's a page from ProxMux wiki on best practices for [[|Windows VMs]]. Once thing I noticed when doing the Windows install is that PVE makes two more vdevs for the TPM / EFI, so you get something like the following in ''zfs list'': 
 +  vms/vm-102-disk-0 
 +  vms/vm-102-disk-1 
 +  vms/vm-102-disk-2 
 +Be careful not to delete those thinking wrongly that they are extraneous - those are obviously required for booting, but it might not be clear upon first look. Also, I chose to install those on the ''zpool'' and PVE's default was to store those locally - so they will likely not appear if you did not pick the option to store them on the pool.  
 +To verify sockets and cores 
 +  grep "physical id" /proc/cpuinfo | sort -u | wc -l 
 +Had to switch to postfix with my relay, so used satellite and: 
 +  []:587 
 +Created bridge on pve instance with this recipe: 
 +  source /etc/network/interfaces.d/
 +  auto lo 
 +  iface lo inet loopback 
 +  iface enp0s31f6 inet manual 
 +  auto vmbr0 
 +  iface vmbr0 inet static 
 +      address 
 +      gateway 
 +      bridge-ports enp0s31f6 
 +      bridge-stp off 
 +      bridge-fd 0 
 +Make sure the PVE instance, which is also our reverse proxy has the FQDN set up in ''/etc/hosts'' properly. Additionally, ensure that your router is assigning the same matching local address (with dhcp) to the PVE as you assign within the PVE. In our situation, is the proxmux host and has 80/443 passed to it by a port forward on the openWRT router. Only the openWRT router is public facing. The openWRT router is and hands out addresses to clients on the LAN in that subnet. The PVE instance is both a reverse proxy with nginx for clients upstream on the LAN, and also a bridge for the VMs that reside on the PVE hypervisor (as per the bridge config above). Therefore, we want to ensure that both the openWRT router and the PVE instance itself have a static address.  
 +  sudo nano /etc/hosts 
 +  < pve> 
 +  sudo nano /etc/hostname 
 +  <> 
 +Set up configurations for each website on nginx as follows: 
 +  sudo apt install nginx 
 +  sudo nano /etc/nginx/sites-available/ 
 +Enter this in the file 
 +  server { 
 +    server_name; 
 +    location / { 
 +        proxy_pass; 
 +        #proxy_set_header Host; 
 +    } 
 +  } 
 +Repeat this as needed for each VM within PVE. For example, here's another entry for an instance doing nextcloud instead of music: 
 +  sudo nano /etc/nginx/sites-available/ 
 +Enter this in the file 
 +  server { 
 +    server_name; 
 +    location / { 
 +        proxy_pass; 
 +        #proxy_set_header Host; 
 +    } 
 +  } 
 +Once this is done, set up TLS on the PVE/RP instance as follows: 
 +  sudo apt install certbot letsencrypt python3-certbot-nginx 
 +  sudo certbot --authenticator standalone --installer nginx -d --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" 
 +Remember, it the reverse proxy web server does not need to match the upstream web server on the LAN at the two different clients '''' and '''' because it is just a reverse proxy. It is simply fielding external url requests on port 80/443 for and and sending those requests upstream to the web servers on those clients which take over at that point. This works fine for browsing these sites when you are external, or not on the LAN. But if you are within the LAN, you need to enable NAT loopback on your port forwards to 80/443 on the openWRT router. You do that by going to Firewall / Port Forward / Edit / Advanced Settings / Enable NAT Loopback. Additionally, you must add corresponding entries in hosts within openWRT for each FQDN and the corresponding local IP. To do that, you go to DHCP and DNS / Hostnames / Add. That takes care of being able to access these sites within or without the LAN, but there's an additional issue. From inside the LAN, Firefox has no issue accessing these sites, but Chrome will refuse access to them since the cert on the reverse proxy does not match the host serving the website content. This is related to rfc 6844 and can be handled by either making openWRT a certificate authority that has permission to do this or by installing matching certificates within the clients. I chose the latter option because I don't want to expose openWRT or tinker with it. Inside the shell in each VM, make sure to set the FQDN, add certbot, and add some header entries: 
 +  sudo nano /etc/hosts [inside VM1] 
 +  < music> 
 +  sudo nano /etc/apache2/sites-enabled/ 
 +  <ServerName> 
 +  <Header add myheader ""> 
 +  <RequestHeader set myheader ""> 
 +That takes care of VM1, now let's do VM2:   
 +  sudo nano /etc/hosts [inside VM2] 
 +  < nextcloud> 
 +  sudo nano /etc/apache2/sites-enabled/ 
 +  <ServerName> 
 +  <Header add myheader ""> 
 +  <RequestHeader set myheader ""> 
 +Once this id done, restart your web server. In my case, the VMs are using apache and only the PVE / reverse proxy server is using nginx. After restarting the web servers inside each VM, you now can create the matching certs inside each VM. Here's the commands for VM1: 
 +  sudo apt install certbot letsencrypt python3-certbot-apache 
 +  sudo certbot --authenticator standalone --installer apache -d --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" 
 +Here are the commands inside VM2: 
 +  sudo apt install certbot letsencrypt python3-certbot-apache 
 +  sudo certbot --authenticator standalone --installer apache -d --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" 
 +Once that's done, make sure that you have cron jobs set for both VMs and for the reverse proxy server / PVE instance. Just enter the following in crontab for all three: 
 +  30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log 
 +This should now make Chrome happy since the VM cert will match the cert of the reverse proxy. Why does this work you might ask? Well, when you run certbot inside the VM, it merely cares whether it can be reached externally where you've declared it to be and since it can, it creates the cert without issue. The reverse proxy / PVE instance itself is also able to handle requests for these domains so certbot likewise has no problems issuing the cert there either. This not only makes the Chrome happy, but it addresses what the Chrome developers and rfc 6844 is concerned about, namely, that without this ... connections inside the LAN could potentially be non-TLS or non-header matching. So, this is a best of both worlds. 
-Dreamhost - prepare haacknet for home router. 
- --- //[[|oemb1905]] 2023/06/17 16:44//+ --- //[[|oemb1905]] 2023/06/19 17:40//