How to recover and update Proxmox 8 firewall configuration in SQLite when you locked yourself out

TLDR

The firewall config is not in /etc/pve/firewall/cluster.fw but in a SQLite Database in /var/lib/pve-cluster/config.db. You need to reboot your system into rescue mode, edit the value enable: 1 to enable: 0 and reboot into Proxmox.

Context

I made a noob mistake and locked myself out of my server. Luckily Hetzner allows me to reboot into rescue mode. This is what happened and how I managed to get my access back.

In other words, this tutorial is for situations where you've accidentally locked yourself out of your Proxmox server due to a firewall misconfiguration (like I did). In my case, I enabled the firewall (enable: 1) with an incorrect configuration, preventing access to the server. The solution involves booting into a rescue system, mounting the Proxmox partition, and manually editing the firewall configuration in the SQLite database.

Prerequisites

  • Access to a rescue system (e.g., Hetzner Rescue System)
  • Basic knowledge of Linux commands and SQLite, although you can copy and paste these commands and it should work.

Disclaimer: I am not responsible for data loss or anything else for that matter. The following commands worked for me and nothing bad happened. I out them here in case they help someone else, as I had to research a few hour before solving this (specially the issue of not finding the config).

Step 1: Boot into Rescue System

Boot your server into the rescue system provided by your hosting provider (e.g., Hetzner Rescue System).

Step 2: Identify the Proxmox Partition

Use the lsblk command to list all block devices:

lsblk

Identify the partition where Proxmox is installed. It's often part of a RAID array or LVM setup.

In my case the output was like this:

loop0            7:0    0   3.1G  1 loop  
nvme1n1        259:0    0 476.9G  0 disk  
├─nvme1n1p1    259:1    0   256M  0 part   └─md0          9:0    0 255.9M  0 raid1 
├─nvme1n1p2    259:2    0     1G  0 part   └─md1          9:1    0  1022M  0 raid1 
└─nvme1n1p3    259:3    0 475.7G  0 part  
  └─md2          9:2    0 475.6G  0 raid1 
    ├─vg0-root 253:0    0    64G  0 lvm   
    ├─vg0-swap 253:1    0     8G  0 lvm   
    └─vg0-data 253:2    0   402G  0 lvm   
nvme0n1        259:4    0 476.9G  0 disk  
├─nvme0n1p1    259:5    0   256M  0 part   └─md0          9:0    0 255.9M  0 raid1 
├─nvme0n1p2    259:6    0     1G  0 part   └─md1          9:1    0  1022M  0 raid1 
└─nvme0n1p3    259:7    0 475.7G  0 part  
  └─md2          9:2    0 475.6G  0 raid1 
    ├─vg0-root 253:0    0    64G  0 lvm   
    ├─vg0-swap 253:1    0     8G  0 lvm   
    └─vg0-data 253:2    0   402G  0 lvm

There I saw that I should mount vg0, and that is was in a raid md2

Step 3: Assemble RAID Array (if applicable)

If your Proxmox partition is part of a RAID array, assemble it:

mdadm --assemble --scan

Step 4: Activate Volume Group

Activate the volume group (usually named vg0 in Proxmox):

vgchange -ay vg0

Step 5: Mount the Proxmox Partition

Create a mount point and mount the Proxmox root partition:

mkdir /mnt/proxmox
mount /dev/vg0/root /mnt/proxmox

Verify the mount:

ls /mnt/proxmox/

Here you should see some files and directories.

Step 6: Locate the Configuration Database

The Proxmox configuration is stored in an SQLite database. Locate it:

ls -la /mnt/proxmox/var/lib/pve-cluster

You should see a file named config.db.

Step 7: Access the SQLite Database

Open the SQLite database:

sqlite3 /mnt/proxmox/var/lib/pve-cluster/config.db

sqlite3 is already installed in the rescue system of Hetzner. You need to install it if it's not available in your system.

Step 8: Check the Current Firewall Configuration

View the current firewall configuration:

SELECT * FROM tree WHERE name = 'cluster.fw';

Note: Initially I didn't know where this was, so I used the following to find where the entry was and if there was any.

SELECT * FROM tree WHERE name = 'cluster.fw';

Step 9: Update the enable Option

Change the enable option from 1 to 0 to disable the firewall:

UPDATE tree 
SET data = replace(data, 'enable: 1', 'enable: 0') 
WHERE name = 'cluster.fw';

Step 10: Verify the Change

Confirm that the change was made successfully:

SELECT * FROM tree WHERE name = 'cluster.fw';

Step 11: Exit SQLite

Exit the SQLite prompt:

.quit

Step 12: Unmount and Reboot

Unmount the Proxmox partition and reboot the server:

umount /mnt/proxmox
reboot

Important Notes

  • Disabling the Firewall: This process disables the firewall cluster-wide. Re-enable it after properly configuring it once you regain access.
  • Security Risks: A disabled firewall may expose your system to security risks. You have been warned.
  • Backup: Always create backups before making significant changes. I have my proxmox configs in a git repository for reference.
  • Alternative Methods: When possible, use the Proxmox web interface or CLI tools for configuration changes. At least that's what I've read. I like to use config files, but I also locked myself out of my server.

References

Several sites, but I cannot longer remember all of them.

Some of the sites I visited are:

  • https://forum.proxmox.com/threads/ssh-connection-no-web-interface.110702/
  • https://www.reddit.com/r/Proxmox/comments/13hyn0y/how_to_secure_proxmox_web_ui/
  • https://eulenfunk.readthedocs.io/en/stable/supernode01.html
  • and many more ...

Comments

Comments powered by Disqus