Skip to content

Proxmox Containers management#

This roles handles containers and VM creations.

SSH tunneling of the API#

We want to avoid accessing to the proxmox API using the public IP (because we would like to block it in the future), at the same time, because proxmox.community modules have python packages dependencies, it's better to run them locally (otherwise we need those dependencies on the remote host, while it's forbidden on debian to use pip system wide and installing modules using apt may not bring the right version).

So we use a ssh tunnel to the API. This is made possible by adding a:

ansible_ssh_common_args = '-L {{ proxmox_api_local_port }}:127.0.0.1:8006'

for proxmox node group in ansible inventory, and by adding a proxmox_api_local_port variable with a unique port for each proxmox host.

This also needs to have a persistent ssh connection, so in ansible.cfg:

[ssh_connection]
# These settings create a persistent SSH socket that can be reused
# We need this because we would like to use ssh tunneling
# to access proxmox API
ssh_args = -o ControlMaster=auto -o ControlPersist=60s
control_path = ~/.ansible/cp/ansible-ssh-%%h-%%p-%%r

Creating containers#

If you create containers there are a few points important to mention:

  1. you must add your container to inventory first
  2. you must add a host_vars/<container_name>/<container_name>_secrets.yml file with the ansible_become_password and ansible_user_password_salt secret variables

Troubleshooting#

596 Errors during TLS negotiation#

If you get an error "596 Errors during TLS negotiation", it might be misleading. We ask not to verify the certificate, so the error does not come from using a self-signed certificate,

But it may comes from the node name which is wrong ! It must be the exact same name as the node in proxmox ! seen here

No authentication methods available#

community.proxmox.proxmox_pct_remote uses ssh to connect to the proxmox node. Therefor, it needs your private key. If your key as a default name (such as id_ed25519), this should work without problems. However, if not, you might need to add the following parameter to your command:

ansible-playbook [...] --extra-vars "ansible_paramiko_private_key_file=/path/to/your/key"

Defaults#

---
# the api hosts
# see README about SSH Tunneling
proxmox_containers__api_host: 127.0.0.1
proxmox_containers__api_port: 8006
# mandatory to provide
proxmox_containers__api_token_id:
proxmox_containers__api_token_secret:
proxmox_containers__api_user:
# containers on this host
proxmox_containers__containers: []
# each entry is a dict with (see defaults below)
# id: container or vm id
# hostname:
# features: additional features, as a list of string "key=value" (eg. nesting=1)
# unprivileged: bool, true, to run unprivileged container
# tags: list of tags
# disk:
#  storage: which storage to use (eg. zfs-hdd)
#  options: options on storage
#  size: size in GiB
# cores: number of cores
# memory: memory size in MB
# swap: swap size in MB
# netif: network definition, (see plugins/filter/proxmox.py for all possible fields)
#  netX: the key is net0, net1, net2, etc.
#    name: name of the interface
#    bridge: name of the bridge
#    ip: ip address with makes
#    ip6: ip6 address with makes
#    gw: gateway address
#    gw6: gateway address for ipv6
# onboot: should the container/vm start on boot
# state: (started / present / absent)

proxmox_containers__default_unprivileged: true
proxmox_containers__default_tags: rpool
# default values for new containers disks
proxmox_containers__default_disk_storage: rpool
proxmox_containers__default_disk_options: {}
proxmox_containers__default_disk_size: 8
# containers defaults
proxmox_containers__default_features: ["nesting=1"]
proxmox_containers__default_cores: 1
proxmox_containers__default_memory: 2048
proxmox_containers__default_swap: 0
proxmox_containers__default_onboot: true

# for ssh access via public keys
proxmox_containers__github_url: "https://github.com"
proxmox_containers__github_authorized_users: []