Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From proxmox
Use this skill when the user asks about Proxmox VE, LXC containers, creating containers on Proxmox, running Docker in LXC, setting up a lightweight host for services like cloudflared, or managing Proxmox infrastructure. For deploying services inside the LXC via docker-compose, also recall the arcane plugin's arcane-gitops skill. For Cloudflare Tunnel setup, recall the cloudflare plugin's cloudflare-tunnels skill.
How this skill is triggered — by the user, by Claude, or both
Slash command
/proxmox:proxmox-lxcThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Proxmox VE (PVE) is an open-source server virtualization platform built on Debian. It supports both KVM virtual machines and **LXC containers** — lightweight, OS-level virtualization that shares the host kernel.
Proxmox VE (PVE) is an open-source server virtualization platform built on Debian. It supports both KVM virtual machines and LXC containers — lightweight, OS-level virtualization that shares the host kernel.
https://<proxmox-host>:8006| Feature | LXC Container | KVM VM |
|---|---|---|
| Boot time | ~1 second | ~30 seconds |
| Memory overhead | Minimal | ~256 MB+ |
| Kernel | Shared with host | Own kernel |
| Isolation | Namespace + cgroup | Full hardware |
| Performance | Near-native | Near-native (with VT-x) |
| Docker support | Needs nesting | Native |
| Use case | Services, Docker hosts | Windows, custom kernels |
Use LXC when: running Linux services, Docker hosts, lightweight workloads. Use KVM when: you need Windows, custom kernels, or strong isolation.
pct)# Download a template first
pveam update
pveam download local debian-12-standard_12.7-1_amd64.tar.zst
# Create an unprivileged container (most secure)
pct create 100 local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst \
--hostname my-service \
--memory 512 \
--swap 256 \
--cores 1 \
--rootfs local-lvm:8 \
--net0 name=eth0,bridge=vmbr0,ip=dhcp \
--nameserver 1.1.1.1 \
--unprivileged 1 \
--start 1
# Enter the container
pct enter 100
| Parameter | Example | Description |
|---|---|---|
--hostname | my-service | Container hostname |
--memory | 2048 | RAM in MB |
--swap | 512 | Swap in MB |
--cores | 2 | CPU cores |
--rootfs | local-lvm:20 | Storage and disk size (GB) |
--net0 | name=eth0,bridge=vmbr0,ip=dhcp | Network config |
--nameserver | 1.1.1.1 | DNS server |
--unprivileged | 1 | Unprivileged (1) or privileged (0) |
--features | nesting=1 | Enable container features |
--onboot | 1 | Start on host boot |
Docker works in unprivileged containers on Proxmox 8.x+ with nesting=1 and keyctl=1 features enabled. This is the recommended approach — more secure than privileged containers.
pct create 101 local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst \
--hostname docker-host \
--memory 4096 \
--swap 1024 \
--cores 4 \
--rootfs local-lvm:50 \
--net0 name=eth0,bridge=vmbr0,ip=dhcp \
--features nesting=1,keyctl=1 \
--unprivileged 1 \
--onboot 1 \
--start 1
Key settings:
--unprivileged 1 — Unprivileged container (recommended, more secure)--features nesting=1,keyctl=1 — Both required for Docker in unprivileged LXCTo enable on an existing container (or via UI: Options > Features > check nesting + keyctl):
pct set 101 --features nesting=1,keyctl=1
pct enter 101
# Install Docker
curl -fsSL https://get.docker.com | sh
# Verify
docker run --rm hello-world
# Install docker-compose plugin
apt install -y docker-compose-plugin
# Verify
docker compose version
| Aspect | Unprivileged (recommended) | Privileged |
|---|---|---|
| Security | UID-mapped; escape = nobody on host | Container root = host root |
| Docker | Works with nesting=1,keyctl=1 | Works out of the box |
| Limitations | Cannot mount SMB/CIFS directly | Full host access on escape |
| ZFS caveat | Needs ext4 formatted volume | Native ZFS driver works |
Docker/containerd updates inside LXC can break with net.ipv4.ip_unprivileged_port_start permission errors. Pin or test containerd.io versions before upgrading. Snapshot before upgrading the host OS or Docker.
Lightest option — run cloudflared as a systemd service:
# Create a minimal unprivileged LXC
pct create 200 local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst \
--hostname cloudflared \
--memory 256 \
--swap 128 \
--cores 1 \
--rootfs local-lvm:4 \
--net0 name=eth0,bridge=vmbr0,ip=dhcp \
--unprivileged 1 \
--onboot 1 \
--start 1
pct enter 200
# Install cloudflared
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \
| tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main" \
| tee /etc/apt/sources.list.d/cloudflared.list
apt update && apt install -y cloudflared
# Install as a service with your tunnel token
cloudflared service install <TUNNEL_TOKEN>
systemctl enable --now cloudflared
# Verify
systemctl status cloudflared
Resources: 256 MB RAM, 1 core, 4 GB disk — minimal footprint.
If you want to run multiple services (cloudflared + apps) via docker-compose:
# Create a Docker-ready LXC (see above)
pct create 201 local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst \
--hostname docker-host \
--memory 4096 \
--cores 2 \
--rootfs local-lvm:30 \
--net0 name=eth0,bridge=vmbr0,ip=dhcp \
--features nesting=1,keyctl=1 \
--unprivileged 1 \
--onboot 1 \
--start 1
pct enter 201
# Install Docker
curl -fsSL https://get.docker.com | sh
# Deploy cloudflared + services via docker-compose
# See the cloudflare plugin's cloudflare-tunnels skill for compose files
# See the arcane plugin's arcane-gitops skill for GitOps deployment
# List all containers
pct list
# Start/stop/restart
pct start 100
pct stop 100
pct restart 100
# Enter container shell
pct enter 100
# Run a command inside container
pct exec 100 -- apt update
# Resize disk
pct resize 100 rootfs +10G
# Change resources (requires stop)
pct set 100 --memory 4096 --cores 4
# Snapshot
pct snapshot 100 before-upgrade
pct rollback 100 before-upgrade
# Clone
pct clone 100 102 --hostname clone-of-100
# Destroy (permanently delete)
pct destroy 100
# Backup
vzdump 100 --storage local --mode snapshot --compress zstd
# Restore
pct restore 103 /var/lib/vz/dump/vzdump-lxc-100-*.tar.zst
# CPU and memory usage
pct status 100
# Detailed status
pct config 100
# Via Proxmox API
curl -s "https://proxmox:8006/api2/json/nodes/<node>/lxc/100/status/current" \
-H "Authorization: PVEAPIToken=<user>!<token>=<secret>"
All operations available via REST API:
# Create container via API
curl -X POST "https://proxmox:8006/api2/json/nodes/<node>/lxc" \
-H "Authorization: PVEAPIToken=user@pam!mytoken=<secret>" \
-d "vmid=100" \
-d "hostname=my-container" \
-d "ostemplate=local:vztmpl/debian-12-standard.tar.zst" \
-d "memory=2048" \
-d "cores=2" \
-d "rootfs=local-lvm:20" \
-d "net0=name=eth0,bridge=vmbr0,ip=dhcp" \
-d "unprivileged=1" \
-d "start=1"
Community providers for Proxmox IaC:
// Pulumi example — create an LXC container
import * as proxmox from "@muhlba91/pulumi-proxmoxve";
const provider = new proxmox.Provider("pve", {
endpoint: "https://pve.example.com:8006/",
apiToken: "root@pam!pulumi=<secret>",
insecure: true,
});
const ct = new proxmox.ct.Container(
"docker-host",
{
nodeName: "pve",
vmId: 101,
operatingSystem: {
templateFileId: "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst",
type: "debian",
},
disk: { datastoreId: "local-lvm", size: 20 },
cpu: { cores: 2 },
memory: { dedicated: 2048 },
networkInterface: { name: "eth0", bridge: "vmbr0" },
features: { nesting: true, keyctl: true },
unprivileged: true,
},
{ provider },
);
Note: Creating multiple containers in parallel can cause Proxmox lock errors. Use sequential creation or
parallelism: 1in Terraform.
| Workload | Memory | Cores | Disk |
|---|---|---|---|
| cloudflared (direct) | 256 MB | 1 | 4 GB |
| Single service | 512 MB | 1 | 8 GB |
| Docker host (light) | 2 GB | 2 | 20 GB |
| Docker host (heavy) | 4+ GB | 4 | 50+ GB |
| Database (PostgreSQL) | 2+ GB | 2 | 20+ GB |
nesting=1,keyctl=1)vmbr0): Containers get IPs on the LAN (simplest)--net0 name=eth0,bridge=vmbr0,tag=100 for network segmentation--net0 name=eth0,bridge=vmbr0,ip=10.0.0.100/24,gw=10.0.0.1npx claudepluginhub nsheaps/ai-mktpl --plugin proxmoxProxmox VE administration: VM/LXC/OCI container provisioning, storage backends, networking/SDN, clustering, high availability, API automation, cloud-init templates, backups/PBS, PCIe passthrough, and vGPU. Invoke whenever task involves any interaction with Proxmox VE — configuring hosts, managing guests, designing storage or networking, writing automation scripts, planning clusters, troubleshooting, or reviewing PVE configurations.
Provisions and secures a Hetzner Cloud VPS with Docker, Nginx/Caddy, SSL, and monitoring for application deployment.
Turns application stacks into production deployments on Linux VPS with Docker Compose, Traefik, private registries, SSH tunnels, backups, and rollback planning.