预计 2 ~ 3 周后，Proxmox VE 8.0 将迎来正式版发布。

Proxmox VE 8.0 Beta1 Released 9. June 2023

Note: this is a test version not meant for production use yet.

• Based on Debian 12 Bookworm (testing)

• Latest 6.2 Kernel as stable default

• QEMU 8.0.2

• LXC 5.0.2

• ZFS 2.1.11

• Ceph Quincy 17.2.6

Highlights

• New major release based on the great Debian Bookworm.

• Seamless upgrade from Proxmox VE 7.4, see Upgrade from 7 to 8

• Ceph Quincy enterprise repository.

• Access the most stable Ceph repository through any Proxmox VE subscription.

• Add access realm sync jobs.

• Synchronize users and groups from an LDAP/AD server automatically at regular intervals.

• Integrate host network bridge and VNet access when configuring virtual guests into Proxmox VE's ACL system.

• With the new SDN.Use privilege and the new /sdn/zones/<zone>/<bridge-or-vnet>/<vlan-tag> ACL object path, one can give out fine-grained usage permissions for specific networks to users.

Changelog Overview

Enhancements in the web interface (GUI)

• The Ceph repository selection now takes into account the subscription status of the complete cluster and recommends the optimal version for the cluster.

• Improved Dark color theme:

• The Dark color theme, introduced in Proxmox VE 7.4, received a lot of feedback from our community, which resulted in further improvements.

• Set strict SameSite attribute on the Authorization cookie

• The Markdown parser, used in notes, has been improved:

• You can now directly link to resources like rdp://<rest-of-url>, providing convenience links in the guest notes.

• it allows setting the target for links, to make any link open in a new tab or window.

• it allows providing URLs with a scheme different from HTTP/HTTPS;

• tag-names and protocols are matched case-insensitive.

• The mobile UI code was refactored to not suffer from incompatible changes made for the web-based GUI.

• The generated CSR used by the built-in ACME client now sets the correct CSR version (0 instead of 2).

• Uploading files now only computes the MD5 sum of the uploaded file, if it can be used for comparison with the user-provided one.

• Firewall settings: Improve the alignment of permissions checked by the web UI with the permissions actually required by the API.

• Explicitly disallow internal-only tmpfilename parameter for file uploads.

• Fix multipart HTTP uploads without Content-Type header.

• Show Ceph pool number in the web UI, as it is often mentioned in Ceph warnings and errors.

• Improved translations, among others:

• Ukrainian (NEW)

• Japanese

• Simplified Chinese

• Traditional Chinese

• The size units (Bytes, KB, MiB,...) are now passed through the translation framework as well, allowing localized variants (e.g., for French).

• The language selection is now localized and displayed in the currently selected language

Virtual Machines (KVM/QEMU)

• New QEMU Version 8.0:

• The virtiofsd codebase was replaced by a new and improved implementation based on Rust, which is packaged separately.

• QEMU Guest Agent now has initial support for NetBSD and OpenBSD.

• Many more changes, see the upstream changelog for details.

• Avoid invalid smm machine flag for aarch64 VM when using serial display and SeaBIOS.

• Warn if a network interface is not connected to a bridge on VM startup. This can happen if the user manually edited the VM config.

• Fix an issue with the improved code for volume size information gathering for passed through disks during backup preparation.

• Workaround breaking driver changes in newer Nvidia grid drivers, which prevented mediated devices (mdev) to be reclaimed upon guest exit.

• Prefer an explicit configured SMBIOS UUID for Nvidia vGPU passthrough.

• If a uuid command line parameter is present, it will be preferred over the default auto-generated UUID, containing the VMID and mdev index.

• This fixes an issue, with software inside the guest, which relies on a specific and unique UUID setting.

• Improved gathering of current setting for live memory unplugging.

• Avoid sending a temporary size of zero to QEMU when resizing block devices. Previously, this was done when resizing RBD volumes, but it is not necessary anymore.

• When resizing a disk, spawn a worker task to avoid HTTP request timeout (issue 2315).

• Allow resizing qcow2 disk images with snapshots (issue 517).

• cloud-init improvements:

• Introduce ciupgrade option that controls whether machines should upgrade packages on boot (issue 3428).

• Better align privilege checks in the web UI with the actual privileges required in the backend.

• Fix an issue where the hostname was not properly set on Fedora/CentOS machines, by passing the hostname via the fqdn option.

• Fix an issue where displaying pending changes via qm and pvesh caused an error.

• Allow setting network options with VM.Config.Cloudinit privileges, instead of requiring the more powerful VM.Config.Network privilege.

• Drop unused QMP commands for getting the link and creating/deleting internal snapshots.

• Replace usages of deprecated -no-hpet QEMU option with the hpet=off machine flag.

Containers (LXC)

• Improve handling of /etc/machine-id on clone operations - the file is now only truncated, if the source did not explicitly set it to 'uninitialized' or remove it. Thus, the admin can decide if they want first-boot semantics or not (see machine-id (5)).

• Set memory.high cgroup limit to 99.6% of configured memory. This setting gives the container a chance to free memory before directly running into an Out-of-Memory (OOM) condition. It is applied on lxc.conf generation and on hot-plugging memory to a running container.

• Warn users on conflicting, manual, lxc.idmap entries.

• Custom mappings can become quite complicated and cause overlaps fast.

• By issuing a warning upon container start, the user should find the wrong entry directly.

• When resizing a disk, perform plausibility checks already before spawning the worker task. This allows invalid requests to fail earlier.

• General code improvements, adhering to best practices for Perl code.

General improvements for virtual guests

• When cloning guests, the validation of the provided name of the clone is now happening in the frontend, improving UX.

• Add config files in /etc/pve/mapping and privileges Mapping.* in preparation for cluster-wide mapping of PCI/USB devices.

HA Manager

• Stability improvements of manual maintenance mode:

• Now, ha-rebalance-on-start ignores services that are already running.

• Fix an issue where a request for enabling maintenance mode on a node is lost, in case the rebooted node is the current active Cluster Resource Manager (CRM).

• Fix an issue where a shutdown policy other than migrate could cause a node in maintenance mode to leave maintenance mode too early or fence itself.

• Fix an issue where ha-rebalance-on-start could cause a newly added and already-running service to be shut down and migrated to another node.

• When enabling or disabling maintenance mode via the CLI, the ha-manager command now checks whether the provided node exists.

• This avoids misconfigurations, e.g., due to a typo in the node name.

Improved management for Proxmox VE clusters

• The rsync invocation used when joining nodes via ssh, which is deprecated, has been adapted to changes in rsync CLI argument parsing in Bookworm.

Backup/Restore

• Improve performance of backups that use zstd on fast disks, by invoking zstd without the --rsyncable flag (issue 4605).

• Suppress harmless but confusing "storing login ticket failed" errors when backing up to Proxmox Backup Server.

• When restoring from backups via the web UI, the VM/CT name is now validated client-side before sending an API request. This helps catching invalid names early.

• The web UI now sorts backups by date, whereas it previously sorted backups first by VMID and then by date. The VMID is added as an extra column for users who would like to restore the previous sorting order (issue 4678).

• Fix an issue where the backup job editor window occasionally did not show the selected guests (issue 4627).

• The fs-freeze-on-backup option of the QEMU guest agent, which controls whether the filesystem should be frozen for backups, can now be set in the web UI.

• Improve permission model for backup jobs: Editing backup jobs now generally requires the Datastore.Allocate privilege on the target storage, and editing backup jobs with dumpdir requires root privileges.

• Clarify description of the ionice setting.

Storage

• The file-based storage-types have two new config options create-base-path and create-subdirs. They replace the mkdir option and separate two different concepts:

• create-base-path decides if the path to the storage should be created if it does not exist,

• create-subdirs decides if the content-specific sub-directories (guest images, ISO, container template, backups) should be created.

• Conflating both settings in the single mkdir option caused a few unwanted effects in certain situations (issue 3214).

• The CIFS storage type can now be configured with custom mount options, as it was already possible for the NFS storage type.

• The subdir option of the CIFS storage type can now be configured in the web interface. The option can be used to mount a subdirectory of a SMB/CIFS share and was previously only accessible via the API/CLI.

• Improve API documentation for the upload method.

• The API now allows to also query replication jobs that are disabled.

• Allow @ in directory storage path, as it is often used to signify Btrfs subvolumes.

• When resizing RBD volumes, always round up sizes to the nearest integer. This avoids errors due to passing a floating-point size to the RBD tooling.

Ceph

• Add support for new Ceph enterprise repositories. When installing Ceph via pveceph install or the web UI, you can now choose between the test, no-subscription and enterprise (default) repositories. The -test-repository option of the pveceph install command was removed.

• Add pveceph osddetails command to show information about OSDs on the command line, with a level of detail that is comparable to the web UI/API.

• Drop support for hyper-converged Ceph Octopus and Pacific, as they are not supported in Proxmox VE 8.

• Proxmox VE 8 will support managing Quincy and newer Ceph server releases, setups still using Pacific can upgrade to Ceph Quincy before upgrading Proxmox VE from 7 to 8.

• The Ceph 17.2 Quincy client will still support accessing older Ceph server setups as a client.

• Remove overly restrictive validation of public_network during monitor creation. Configuring a public network like 0::/0 or 0::/1 caused a superfluous "value does not look like a valid CIDR network" error.

• The Ceph installation wizard in the web UI does not create monitors and managers called localhost anymore and uses the actual node name instead.

Access Control

• Add possibility to define realm sync jobs in the web UI. These allow to synchronize users and groups from an LDAP server automatically at regular intervals.

• Add TFA/TOTP lockout to protect against an attacker who has obtained the user password and attempts to guess the second factor:

• If TFA failed too many times in a row, lock this user account out of TFA for an hour. If TOTP failed too many times in a row, disable TOTP for the user account. Using a recovery key will unlock a user account.

• Add pveum tfa unlock command and /access/users/{userid}/unlock-tfa API endpoint for manually unlocking users.

• Add TFA lockout status to responses of /access/tfa and /access/users endpoints.

• Fix validity check for LDAP base DNs that was overly strict starting from Proxmox VE 7.4. For example, the check rejected base DNs containing both dashes and spaces (issue 4609).

• When authenticating via PAM, pass the PAM_RHOST item. With this, it is possible to manually configure PAM such that certain users (for example root@pam) can only log in from certain hosts.

• Add pveum tfa list command for listing second factors on the command line.

• The access/ticket API endpoint does not support the deprecated login API (using new-format=0) anymore.

• Remove the Permission.Modify privilege from the PVESysAdmin and PVEAdmin roles and restrict it to the Administrator role. This reduces the chances of accidentally granting privilege modification privileges.

• Login with TFA: In order to improve UX, fix wording of messages related to recovery keys.

• Forbid creating roles with names starting with PVE to reserve these role names for use in future upgrades.

• SDN.Use is required on a bridge/vnet (or its zone) in order to configure it in a guest vNIC.

• use /sdn/zones/localnetwork or /sdn/zones/localnetwork/<bridge> to allow usage of all or specific local bridges.

• use /sdn/zones/<zone> or /sdn/zones/<zone>/<bridge> to allow usage of all or specific vnets in a given SDN zone.

• Users with VM.Allocate/Datastore.Allocate/Pool.Allocate privileges, but without the Permissions.Modify privilege, can now only assign a subset of their own privileges to specific VM/storage/pool paths, instead of arbitrary roles.

Firewall & Software Defined Networking

• Allow to distinguish IP sets and aliases with the same name defined on the datacenter level and on the guest level by providing an explicit prefix (issue 4556). Previously, the innermost IP set/alias took precedence, which is still the default behavior if no prefix is provided.

• Fix an issue where an allowed special ICMP-type could accidentally be added as destination port for a layer 4 protocol, breaking firewall rule loading.

• Fix setting the correct vlan-protocol for QinQ zones if the bridge is vlan-aware.(issue 4683

• Fix an issue where routing between zones was enabled by default in exit nodes. This has been fixed by adding null-routes for each other zone prefix to each zone (issue 4389).

• Correctly order vrf and router bgp vrf entries by vrf name in the frr configuration. (issue 4662)

• For setups where a node is primary exit node for one vrf and secondary exit for a different vrf, the configuration now also adds the second vrf's default route. (issue 4657)

• Allow specifying a custom vxlan-tunnel port per interface.

• Update the frr configuration generation to the version of frr shipped in Debian Bookworm.

• Fix an issue where reloading the network configuration on a remote node created an error, which hid the actual issue with the network configuration.

• Add support for IPv6 SLAAC and router advertisement configuration in /etc/network/interfaces to ifupdown2.

• Fix live reloading when changing VLAN and VXLAN specific attributes.

• Add support for creating an OVS bridge which tags traffic with a specific VLAN tag to ifupdown2.

• This is to match the possibility in ifupdown.

Improvements for the management of Proxmox VE Nodes

• pve7to8 compatibility check script added.

• As with previous major upgrades, Proxmox VE 7 ships a script checking for issues with the current node/cluster. It should point to any issues which might prevent a successful major upgrade.

• Outdated pve6to7 compatibility check script was removed.

• Fix an issue where the web UI would display no APT repositories during a major upgrade.

• The new version of grub2 provided by Debian Bookworm (2.06-13) fixes an issue where a host using LVM would fail to boot with a message disk `lvmid/...` not found, even though the LVM setup is healthy.

Installation ISO

• The version of BusyBox shipped with the ISO was updated to version 1.36.1.

• The Proxmox-provided Ceph Quincy repo will be set-up by default, providing updates for a modern Ceph client even if Proxmox Ceph hyper-converged setup is not in use.

• Detection of unreasonable system time.

• If the system time is older than the time the installer was created, the system notifies the user with a warning.

• ethtool is now shipped with the ISO and installed on all systems.

• systemd-boot is provided by its own package instead of systemd in Debian Bookworm and is installed with the new ISO.

Notable bug fixes and general improvments

• Most git repositories now have a dsc Makefile target to create a Debian Source Package and additionally a sbuild target to create the source package and build it using sbuild.

Known Issues & Breaking Changes

• Storage activation now checks that every content type uses a different directory, in order to prevent unexpected interactions between different content types. This breaks setups in which the content-dirs option was set up to map different content types to the same directory, and setups in which some content directories were manually set up as symlinks to a common directory.

• QEMU 8.0 removed some previously deprecated features. Proxmox VE 8 won't use the -chardev tty and -chardev parport aliases anymore, and no other features were used by the Proxmox VE stack. Thus, only installations using args inside their guest configs need to check the compatibility. See the Qemu changelog on the topic for details.

• The removed features in QEMU 8.0 also include the Proxmox VE-specific, but unused/deprecated QMP commands get_link_status, snapshot-drive and delete-drive-snapshot.

• The lxc.id_map configuration key has been deprecated for a long time by lxc and was replaced by lxc.idmap. With this release, its presence is considered an error. The key can only be present if it was manually added to a guest configuration.

• The lxcfs is now built with fuse 3. This upgrade is done on a major release, since all running containers need to be restarted afterwards.

• Permission System

• There is a new SDN.Use privilege (and corresponding PVESDNUser role) that is required to configure virtual NICs in guests. See SDN section above for details!

• The Permission.Modify privilege has been removed from the PVESysAdmin and PVEAdmin roles, in order to reduce the chances of accidentally granting the privilege to modify privileges. If a particular setup requires a role with this privilege, it is necessary to define a new custom role and use that instead of PVESysAdmin/PVEAdmin.

• Users with VM.Allocate/Datastore.Allocate/Pool.Allocate privileges, but without the Permissions.Modify privilege, can now only assign a subset of their own privileges to specific VM/storage/pool paths. Previously they could assign any role to specific VM/storage/pool paths. As the privileges usable on specific VM/storage/pool paths were quite limited, this did not allow privilege escalation, but restricting the capabilities now allows adding more powerful privileges in future versions without breaking changes.

• Editing backup jobs now generally requires the Datastore.Allocate privilege on the target storage, and editing backup jobs with dumpdir requires root privileges.

• User accounts will now be locked after too many attempts to authenticate with a second factor. This is intended to protect against an attacker who has obtained the user password and attempts to guess the second factor. Unlocking requires either a successful login with a recovery key or a manual unlock by an administrator.

• The API can handle array-type data differently, while staying backward compatible.

• Instead of being able to pass the individual elements separated by null bytes, you can pass the data directly as array.