Proxmox VE, upgrade from 7 to 8.1, on Dell T7910
Table of Contents
I upgraded my existing ProxmoxVE version 7 install to version 8.1.
As expected, this was hassle free.
These are mainly my notes on cleaning out previous CephFS fiddlings.
8.1 was released last November. I finally found time where I could have a short downtime of all the VMs I run on my single PVE node.
New features of interest to me
- Secure boot is now supported, so I followed the docs for switching an existing install to secboot and then enabled secboot in my T7910’s BIOS setup.
- There are repos for Ceph Reef, while my Ceph (currently Reef) cluster is external of Proxmox, I like having easy access to Reef client tools.
Upgrade procedure from 7 to 8.1
Is extremely well documented on their Wiki page Upgrade from 7 to 8. That page contained all the information I needed. Props for making good docs.
BaseOS update from Debian 11 to 12 is the well known and hassle free dist-upgrade.
For the Proxmox part there is a shell script and the detailed wiki page linked above,
The update of both Debian and PVE took me less then an hour, since I curreny only run a single PVE node, I shut down all my VMs before starting the upgrade.
The following wiki pages applied to my setup
- Systemd-boot (for ZFS on root and UEFI systems only)
- 3.13.8. Secure Boot, Switching an Existing Installation to Secure Boot
Used repositories
NOTE: These repositories suit my use-case. Refer to Proxmox’ docs for choosing repos that match yours.
root@t7910:~# for i in /etc/apt/sources.list /etc/apt/sources.list.d/* ; do echo "### START of my ${i}" ; cat ${i} ;echo "### END of my ${i}" ; echo ; done
### START of my /etc/apt/sources.list
deb http://ftp.de.debian.org/debian bookworm main contrib non-free-firmware
deb http://ftp.de.debian.org/debian bookworm-updates main contrib non-free-firmware
# Proxmox VE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
# security updates
deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware
### END of my /etc/apt/sources.list
### START of my /etc/apt/sources.list.d/ceph.list
#deb http://download.proxmox.com/debian/ceph-pacific bullseye main
deb http://download.proxmox.com/debian/ceph-reef bookworm no-subscription
### END of my /etc/apt/sources.list.d/ceph.list
### START of my /etc/apt/sources.list.d/pve-enterprise.list
# deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
### END of my /etc/apt/sources.list.d/pve-enterprise.list
### START of my /etc/apt/sources.list.d/pve-enterprise.list.dpkg-dist
deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
### END of my /etc/apt/sources.list.d/pve-enterprise.list.dpkg-dist
### START of my /etc/apt/sources.list.d/tarsnap.list
deb https://pkg.tarsnap.com/deb/bookworm ./
### END of my /etc/apt/sources.list.d/tarsnap.list
Clean out a previous fiddling of mine related to CephFS access
I do not know if the docs got better of if I simply overlooked this part of the PVE docs when I initially set up access to my (external) CephFS.
Specifically the note The secret is only the key itself, as opposed to the rbd backend, doh, my bad. Fixed now.
I very much presume that back then I just read the docs badly, no matter, cleaned this up as follows;
- Get a secret (secret, not a keyring), on the Ceph side
[root@f5-422-01 ~]# cephadm shell
[…]
Using ceph image with id '8b60f94e29cf' and tag '<none>' created on 2023-12-07 14:38:55 +0000 UTC
registry.redhat.io/rhceph/rhceph-7-rhel9@sha256:6d973960c99e0aa918436385ae1eb7175159049d0cc730beb411dad44f58ccd0
[ceph: root@f5-422-01 /]# ceph auth get-key client.proxmox_fs
-
Put secret in a file
-
transfer file to Proxmox node t7910, out of old habits I put it at
/etc/ceph/ceph.client.proxmox_fs.secret -
adjust my existing storage config as follows
root@t7910:~# pvesm set cephfs-external --keyring /etc/ceph/ceph.client.proxmox_fs.secret
- verify PVE ingested the secret
root@t7910:~# ls -lh /etc/pve/priv/ceph/
total 1.5K
-rw------- 1 root www-data 153 Aug 29 2021 cephfs-external.keyring
-rw------- 1 root www-data 41 Mar 27 18:24 cephfs-external.secret
-rw------- 1 root www-data 138 Aug 29 2021 ceph-rbd-external.keyring
root@t7910:~#
And I guess this also explains why I had issues previously, I had fed it a keyring, not a secret.
FIXME: Clean out the now obsolete /etc/pve/priv/ceph/cephfs-external.keyring and /etc/ceph/…?
root@t7910:~# ls -lh /etc/ceph/
total 19K
-r-------- 1 root root 153 Aug 29 2021 ceph.client.proxmox_fs.keyring
-rw------- 1 root root 41 Mar 27 18:21 ceph.client.proxmox_fs.secret
-r-------- 1 root root 138 Aug 29 2021 ceph.client.proxmox_rbd.keyring
-rw-r--r-- 1 root root 287 Aug 29 2021 ceph.conf
-rw-r--r-- 1 root root 92 May 31 2021 rbdmap
root@t7910:~#
Disable Kernel Samepage Merging
Since I have plenty RAM and do not want the performance hit of KSM, I disabled as per docs
root@t7910:~# systemctl disable --now ksmtuned
root@t7910:~# echo 2 > /sys/kernel/mm/ksm/run
Enable Secure Boot
Again, just followed the documentation. Specifically 3.13.8. Secure Boot, Switching an Existing Installation to Secure Boot.
Check Secure Boot Status
root@t7910:~# date ; mokutil --sb-state
Sun Mar 31 09:07:51 PM CEST 2024
SecureBoot enabled