虚拟化

Proxmox(PVE) Web 控制面板添加登录二步验证(TFA)

Proxmox(PVE) Web 控制面板添加登录二步验证(TFA)

PVE 提供了功能非常完善的图形化控制的Web管理界面,我们很多的操作都可以在这个管理界面上完成,但是,同样是因为这个管理界面有着比较高的权限,因此如果出现了账号密码泄漏,则会出现较为严重的影响。所以,给Web管理界面再加上二步验证机制,能提升我们系统的安全等级。

PVE 官网也提供了教程,不过这个教程需要在命令行下完成。但最近我发现了一个非常简便的方法,不需要使用PVE的命令行,也不需要借助生成oathkey脚本,只需要在Web管理界面上简单鼠标操作即可。

准备工作

在开始配置前,需要先准备好以下内容:

  • 安装好 Proxmox 系统
  • 在手机上安装好 OTP 软件 iOS推荐使用FreeOTP,安卓可以选择AndOPT、谷歌身份验证器或者其他相似功能的软件
  • 使用 AndOPT成功。

配置

登录PVE管理界面,在最右上方用户选项栏点击呼出下拉菜单。

点击 TFA ,进入二次验证设置选项框。

使用手机APP扫描出现的二维码,如果无法扫描,请手动添加。

并将手机上显示的数字输入到Web管理界面的验证码输入框内。

点击应用即可。

随后注销登录,重新登录Web管理界面,这时,输入完成账号密码后,系统会提示输入验证码,然后输入手机上对应的动态验证码即可登录。

Tips

使用这个方法,如果想更换TFA密钥,只需要在 二次验证 的选项框内点击 随机化 然后重新使用手机APP扫描,或者手动添加。

M1 macOS 技巧

如果是使用 M1 处理器的 macOS 用户,因为可以安装iOS的软件,所以可以在自己常用的电脑上安装FreeOTP(当然macOS也有提供专门的OTP软件,但是……FreeOTP免费而且简单),然后就可以不需要在登录的时候找手机了。

但是目前macOS上的FreeOTP并没有针对macOS进行优化,所以需要在系统出现二维码扫码的阶段,用手机拍下二维码,然后PVE二步验证设置成功后,再使用macOS上的FreeOTP扫描刚刚用手机拍下的二维码即可。

小结

本文介绍了如果使用PVE的Web管理界面来设置二步验证登录从而实现提高安全性,希望本文对你有帮助。如果你觉得文章有用,不要吝啬你的点赞、收藏,你的分享和关注是继续更新文章的动力。

Windows OVF导入步PVE骤示例

Microsoft为Windows开发提供了虚拟机下载服务。以下将利用这些镜像演示OVF导入功能。

*下载虚拟机镜像压缩包*

在选择同意用户协议后,选择基于VMware的Windows 10 Enterprise(Evaluation-Build),下载zip压缩包。

*从zip压缩包提取磁盘镜像*

使用unzip或其他工具解压缩zip压缩包,通过ssh/scp将ovf和vmdk文件复制到Proxmox VE服务器。

*导入虚拟机*

执行以下命令可以创建新虚拟机,虚拟机的CPU、内存和名称沿用OVF配置文件中的设置,磁盘镜像将导入local-lvm存储。网络配置可以手工完成。

qm importovf 999 WinDev1709Eval.ovf local-lvm

至此,虚拟机导入完成,可以启动使用。

在Debian 10(Buster)上安装Proxmox VE 6的方法

安装后的一些问题,还在想办法解决


vm: ping domain
host:
journalctl -n xx -f
UFW BLOCK .....53......


Introduction

The installation of a supported Proxmox VE server should be done via Bare-metal_ISO_Installer. In some case it makes sense to install Proxmox VE on top of a running Debian Buster 64-bit, especially if you want a custom partition layout. For this HowTO the following Debian Buster ISO was used: [1].

Install a standard Debian Buster (amd64)

Install a standard Debian Buster, for details see Debian, and configure a static IP. It is recommended to only install the "standard" package selection, and nothing else, as Proxmox VE brings its own packages for qemu, lxc. A desktop environment is not necessary.

Add an /etc/hosts entry for your IP address

Please make sure that your machine's hostname is resolvable via /etc/hosts, i.e. you need an entry in /etc/hosts which assigns an address to its hostname.

Make sure that you have configured one of the following addresses in /etc/hosts for your hostname:

  • 1 IPv4 or
  • 1 IPv6 or
  • 1 IPv4 and 1 IPv6

Note: This also means editing or rather removing the address 127.0.1.1 that might be present as default.

For instance, if your IP address is 192.168.15.77, and your hostname prox4m1, then your /etc/hosts file could look like:

127.0.0.1       localhost.localdomain localhost
192.168.15.77   prox4m1.proxmox.com prox4m1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

You can test if your setup is ok using the hostname command:

hostname --ip-address
192.168.15.77 # should return your IP address here

Install Proxmox VE

Adapt your sources.list

Add the Proxmox VE repository:

echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list

Add the Proxmox VE repository key:

wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg  # optional, if you have a non-default umask

Update your repository and system by running:

apt update && apt full-upgrade

NOTE: If you have enabled other another arch (typically, i386 to run some older software) and apt complains about not being able to find /binary-i386: "Unable to find expected entry 'pve/binary-i386/Packages'" you need to remove other arch or use instead the row:

deb [arch=amd64] http://download.proxmox.com/debian/pve buster pve-no-subscription

this is because Proxmox repository does not have any other arch besides amd64; more info about multiarch on debian at: https://wiki.debian.org/Multiarch/HOWTO.

Install Proxmox VE packages

Install the Proxmox VE packages

apt install proxmox-ve postfix open-iscsi

Configure packages which require user input on installation according to your needs (e.g. Samba asking about WINS/DHCP support). If you have a mail server in your network, you should configure postfix as a satellite system, your existing mail server will then be the relay host which will route the emails sent by the Proxmox server to their final recipient.

If you don't know what to enter here, choose local only and leave the system name as is.

Finally, reboot your system, the new Proxmox VE kernel should be automatically selected in the GRUB menu.

Note: If you have a subscription key don't forget to switch to the enterprise repository after installation, see Package repositories.

Recommended: remove the os-prober package

The os-prober package scans all the partitions of your host, including those assigned to guests VMs, to create dual-boot GRUB entries. If you didn't install Proxmox VE as dual boot beside another Operating System, you can safely remove the os-prober package.

apt remove os-prober

Connect to the Proxmox VE web interface

Connect to the admin web interface (https://youripaddress:8006). If you have a fresh install and didn't add any users yet, you should use the root account with your linux root password, and select "PAM Authentication" to log in.

Once logged in, create a Linux Bridge called vmbr0, and add your first network interface to it.

Adapt vmbr0 settings

Troubleshooting

resolv.conf gets overwritten

The PVE GUI expects to control DNS management and will no longer take its DNS settings from /etc/network/interfaces. Any package that auto-generates (overwrites) /etc/resolv.conf will cause DNS to fail, e.g. packages 'resolvconf' for IPv4 and 'rdnssd' for IPv6.

ipcc_send_rec[1] failed

If you see

ipcc_send_rec[1] failed: Connection refused

then you should review your /etc/hosts file according to the instructions above.

Optional Steps

Optional: Remove the Debian kernel

apt remove linux-image-amd64 'linux-image-4.19*'

Update and check grub2 config by running:

update-grub

我们将介绍在Debian 10(Buster)Linux系统上安装Proxmox VE 6服务器,推荐和支持的Proxmox VE服务器安装通过Bare-metal_ISO_Installer完成。

简介

Proxmox虚拟环境(VE)是一种企业级开源服务器虚拟化解决方案,基于Debian Linux发行版,具有经过修改的Ubuntu LTS内核,它允许你部署和管理虚拟机和容器。

此设置假设你正在运行Debian 10 Buster Linux服务器(参考:安装Debian 10 Buster的方法),如果你没有,请按照我们的参考文章在将用作虚拟机监控程序的专用服务器上安装Debian 10,请注意,你需要一个支持Intel 64或AMD64 CPU扩展的64位处理器。

以下是在Debian 10(Buster)上安装Proxmox VE 6的方法。

一、更新Debian OS和设置系统主机名

1、更新Debian OS

在开始之前更新apt包索引:

sudo apt -y update

sudo apt -y upgrade

sudo reboot

2、设置系统主机名

我们需要设置主机名并确保它可以通过/etc/hosts解析:

sudo hostnamectl set-hostname prox6node01.example.com --static

echo "10.1.1.10 prox6node01.example.com prox6node01" | sudo tee -a /etc/hosts

example.com应替换为有效的域名。

二、添加Proxmox VE存储库

所有Proxmox软件包都将从匹配的上游存储库中提取,该存储库是手动添加到系统的,在这里,我们将添加Proxmox VE No-Subscription Repository。

导入GPG密钥:

wget -qO - http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg | sudo apt-key add -

-------- or -------

wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg

sudo mv proxmox-ve-release-6.x.gpg /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg

chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg

然后添加Proxmox VE存储库:

echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" | sudo tee /etc/apt/sources.list.d/pve-install-repo.list

你现在可以通过运行以下命令更新存储库和系统:

sudo apt update && sudo apt dist-upgrade

添加Proxmox VE Ceph存储库:

这是Proxmox VE的主要Ceph存储库,并保存Ceph软件包以供生产使用,你还可以使用此存储库仅更新Ceph客户端:

echo "deb http://download.proxmox.com/debian/ceph-nautilus buster main" | sudo tee /etc/apt/sources.list.d/ceph.list

三、安装Proxmox VE软件包

这些是为安装Proxmox VE软件包而执行的命令:

sudo apt install proxmox-ve postfix open-iscsi

如果你的网络中有邮件服务器,则应将postfix配置为satellite system,并且现有的邮件服务器将是“relay host”,它将把proxmox服务器发送的电子邮件路由到最终收件人,如果你不知道在此输入什么,请选择仅限本地。

安装后重新启动Debian系统以使用Proxmox VE内核启动:

sudo reboot

四、访问Proxmox VE Web界面

连接到Proxmox VE管理Web界面(https://youripaddress:8006):

Proxmox VE控制面板如下所示:

选择“PAM Authentication”并使用服务器的root用户密码进行身份验证。

登录后,创建一个名为vmbr0的Linux Bridge:

并添加你的第一个网络接口:

至此,整个Proxmox VE 6安装完成。