SuLing's Garden

PVE Tips

2 min read

Disable tso gso

apt install ethtool
ethtool -K eno1 tso off gso off
vim /etc/network/interfaces
-----
iface eno1 inet manual
        post-up ethtool -K eno1 tso off gso off || true
-----

Export zfs volume to qcow2

ls /dev/zvol/rpool/data
 
---
lrwxrwxrwx 1 root root 12 Jan 30 03:47 vm-100-disk-0 -> ../../../zd0
lrwxrwxrwx 1 root root 14 Jan 30 03:47 vm-100-disk-0-part1 -> ../../../zd0p1
---
 
qemu-img convert -p -f raw /dev/zd0 -O qcow2 /mnt/pve/remote-storagebox/convert/vm-100-disk-0.qcow2

Fail2ban

# Install
apt-get install fail2ban
 
 
vim /etc/fail2ban/jail.local
-----
[sshd]
enabled   = true
filter    = sshd
banaction = iptables
backend   = systemd
maxretry  = 5
bantime   = -1
ignoreip  = 127.0.0.1/8
-----
 
systemctl enable --now fail2ban
 
# View banned IP
fail2ban-client status sshd

Add Hetzner Box to PVE

pvesm add cifs remote-box --server u100000.your-storagebox.de --share backup --username u100000 --password <your-storage-box-password> --content backup

Add rsync backend

rsync --progress -e 'ssh -p23' --recursive /data u100000@u100000.your-storagebox.de:<target_directory>

PVE Kernel Pin

# List installed kernels
proxmox-boot-tool kernel list
 
# Install 5.13 kernel
apt install pve-kernel-5.13
 
# List installed kernels again to get latest kernel version
proxmox-boot-tool kernel list
 
# Pin 5.13.19-6-pve kernel
proxmox-boot-tool kernel pin 5.13.19-6-pve
 
# Save settings
proxmox-boot-tool refresh
 
# Reboot
 
# Unpin kernel
proxmox-boot-tool kernel unpin 5.13.19-6-pve
proxmox-boot-tool refresh

Create Lxc container

bash -c "$(wget -qLO - https://raw.githubusercontent.com/tteck/Proxmox/main/ct/debian.sh)"

Disable apparmor on priviled lxc container

# Execute on pve host
 
cd /etc/pve/lxc
 
vim 101.conf   
 
# Add this config to the end:
---
...
lxc.apparmor.profile: unconfined
lxc.cap.drop:
---

Connection limit

# Install iptables-save command
apt install iptables-persistent
 
# Add limit rules
iptables -A FORWARD -p tcp --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 16 -j DROP
iptables -A FORWARD -p tcp --dport 443 -m connlimit --connlimit-above 16 --connlimit-mask 16 -j DROP
 
# Save rules
iptables-save > /etc/iptables/rules.v4
 
# List rules
iptables -L FORWARD -v --line-numbers
 
# Delete rules (Based on `iptables -L FORWARD` line number)
sudo iptables -D FORWARD 1

Graph View