smarthome.codes
smarthome.codes
Proxmox

Proxmox VE 8.4 released with new features and improvements

Adriana
1 week ago
Add comment
16 min read
proxmox

Proxmox VE 8.4 Released: Key Features and Updates

Proxmox VE version 8.4 has been officially released as of April 9, 2025, building upon the stable foundation of Debian 12.10 “Bookworm”. This update brings a host of new features, software updates, and improvements, enhancing virtualization capabilities, management, and security. Key enhancements include live migration support for vGPU devices, an API for external backup providers, and virtiofs integration.

Key Takeaways

  • Live Migration with vGPU: Enables migration of running VMs using mediated devices like NVIDIA vGPUs (requires hardware/driver support).
  • External Backup Provider API: Introduces an API allowing integration of third-party backup solutions with the Proxmox VE backup stack and GUI.
  • Virtiofs Support: Allows efficient sharing of host directories with VM guests without network filesystem overhead.
  • Updated Core Components: Features Linux Kernel 6.8 as default (6.14 opt-in), QEMU 9.2.0, LXC 6.0.0, ZFS 2.2.7, and Ceph Squid 19.2.1 as a stable option.
  • GUI Enhancements: Includes consent banners, improved sorting, proxy support for downloads, task list improvements, and security hardening.
  • Ceph Quincy EOL: Ceph Quincy 17.2.8 is now end-of-life; users are advised to upgrade to Ceph Reef or Squid.

Table of Contents

Release Overview

Proxmox VE 8.4, released on April 9, 2025, is based on Debian 12.10 “Bookworm”. This version introduces significant updates to its core components:

  • Kernel: Ships with the latest Linux Kernel 6.8.12-9 as the new stable default. An even newer Kernel 6.14 is available as an opt-in option for users seeking the latest features.
  • QEMU: Updated to version 9.2.0.
  • LXC: Updated to version 6.0.0.
  • ZFS: Updated to version 2.2.7, including compatibility patches for the optional Kernel 6.14.
  • Ceph: Offers Ceph Squid 19.2.1 and Ceph Reef 18.2.4 as stable options.

Important: Ceph Quincy 17.2.8 is now end-of-life. Users currently on Ceph Quincy are strongly advised to plan and execute an upgrade to Ceph Reef or Ceph Squid.

Before initiating an upgrade, please review the official documentation regarding upgrading from version 7.4 and the known issues for version 8.4.

Highlights

Live Migration with Mediated Devices (vGPU)

A major advancement in Proxmox VE 8.4 is the introduction of live migration support for VMs using mediated devices, such as NVIDIA vGPUs. This allows for the seamless migration of running virtual machines equipped with these devices between hosts, minimizing downtime. Note: This feature requires specific hardware and driver support, and currently, only NVIDIA GPUs are known to support this capability. The feature can be enabled per PCI mapping.

External Backup Provider Support

Proxmox VE 8.4 now includes an API enabling developers to create backup provider plugins for external backup solutions. This allows third-party backup systems to integrate deeply with the Proxmox VE backup stack and GUI, potentially utilizing features like dirty bitmap tracking for efficient incremental backups. Backup solution providers can now offer tailored integration for their products.

Virtiofs Host Directory Sharing

The new virtiofs support enables direct sharing of directories between the Proxmox VE host and guest VMs without the performance overhead associated with network filesystems like NFS or SMB. Modern Linux guests (Kernel 5.4+) support virtiofs out-of-the-box. Windows guests require the installation of additional drivers. Note: VMs using virtiofs currently cannot be live-migrated, and snapshots with RAM or hibernation are not possible.

Latest Kernels and Ceph Squid

Staying current, Proxmox VE 8.4 defaults to the stable Linux 6.8 kernel, with the cutting-edge Linux 6.14 kernel available as an opt-in choice. For distributed storage, Ceph Squid 19.2.1 is now available as a stable option alongside Ceph Reef.

Seamless Upgrade Path

Proxmox VE 8.4 offers a seamless upgrade path for users currently on Proxmox VE 7.4. Detailed instructions are available in the official documentation.

Changelog Overview

This release incorporates numerous enhancements and fixes across various components.

Enhancements in the Web Interface (GUI)

  • Consent Banner: Added the ability to set a Markdown-enabled consent banner (Datacenter → Options → Consent Text) that users must acknowledge before login, aiding compliance efforts (issue 5463).
  • Improved Sorting: Storage content (ISOs, templates) now sorts according to browser locale with numeric sorting for a more natural order (issue 6138).
  • Proxy for Downloads: Downloading ISOs, templates, or OVAs via URL now respects the configured proxy for both HTTP and HTTPS (issue 3716). See Breaking Changes.
  • Migration Network CIDR: Custom CIDR notation is now allowed for the migration network in datacenter options (issue 6142).
  • Task List Actions: Task lists now feature an explicit action column for better discoverability of task details.
  • Confirmation Dialogs: Dialogs now explicitly mention the target guest name for clarity (issue 3181).
  • Privilege Alignment: Better alignment between GUI and backend privilege checks for adding PCI, USB, or VirtIO RNG devices.
  • Disk Image Upload/Download: Allow upload/download to storages with “Import” content type (preparation for future disk import features) (issue 2424).
  • Login Session Fix: Fixed an issue where external links sometimes forced a login screen despite a valid session.
  • PCI Mapping Editor Fix: Corrected preselection issue in the PCI mapping editor.
  • Security Fixes: Addressed XSS vulnerability via QEMU guest agent responses (PSA-2024-00016-1) and added HTML encoding for API results as hardening (PSA-2025-00002-1).
  • UI Updates: Updated xterm.js to 5.5.0 (fixing high-latency sizing issue 6223) and noVNC to 1.6.0.
  • Translation Improvements: Fixed untranslatable/split strings and updated translations for Bulgarian, French, German, Italian, Japanese, Simplified Chinese, Spanish, Traditional Chinese, and Ukrainian.

Virtual Machines (KVM/QEMU)

  • QEMU 9.2.0: Updated QEMU version.
  • vGPU Live Migration: Implemented live migration support for mediated devices like NVIDIA vGPUs (issue 5175).
  • Virtiofs: Added support for sharing host directories via virtiofs (issue 1027).
  • AMD SEV-SNP: Initial support added for AMD Secure Nested Paging for enhanced host-guest isolation. Note: EFI disks are not supported with SEV-SNP.
  • S3/S4 Power States Disabled: Disabled by default in the new machine version (9.2+pve1) to prevent issues (e.g., with vGPU passthrough). New Windows VMs use this; existing VMs retain their older machine type.
  • Machine Version Deprecation Clarified: Documentation updated regarding QEMU machine version support lifecycle (approx. two previous major Proxmox VE releases). Warnings will be shown for future deprecations.
  • ISO Boot Order: VM creation wizard now places additional ISOs (like VirtIO drivers) after the main installation ISO in the boot order (issue 6116).
  • Security Fixes (Image Formats): Addressed issues allowing potential host file access via manipulated image formats (PSA-2024-00014-1, PSA-2025-00001-1, PSA-2025-00003-1, PSA-2025-00004-1).
  • Customizable Ballooning Target: Allows configuration of the memory ballooning target per-node (previously fixed at 80%) (issue 2413).
  • Shutdown Fallback: VMs with guest agent enabled will now fall back to ACPI shutdown if the agent is inactive.
  • Disk Format Consistency: Enforces consistency between the disk format option and the format reported by storage for managed disks.
  • VirtIO RNG Improvements: Allowed non-root users (with specific privileges) to configure /dev/urandom, /dev/random, or hardware RNGs. Removed outdated entropy starvation warning for /dev/random.
  • Offline Migration with Mapped Devices: Enabled offline migration even if mapped devices are present.
  • Snapshot Performance: Snapshots with RAM now write VM state in a dedicated IO thread, reducing QEMU main thread load and potential guest hangs on unreliable storage.
  • VM Start Timeout: Increased maximum timeout based on the number of virtual NICs (issue 3588).
  • TPM State Cloning: Cloning a VM now always fully clones the TPM state.
  • Template Disk Conversion Fix: Fixed issue where allocating new EFI/TPM volumes for templates didn’t convert them to base volumes.
  • OVA Live Import Fix: Corrected an issue breaking live import from OVA appliances with disks.
  • Template Resume Prevention: Prevented resuming templates (they should only prelaunch for backups).
  • Disk Move/Clone Restriction: Prevented moving/cloning disks to storage without “Disk Image” content type (issue 5284).
  • TPM/EFI Detach Handling: Removing TPM/EFI disk from a running VM is now registered as a pending change.
  • Template Backup Fix: Fixed backup failure for templates with disconnected vNICs (issue 6007).
  • Spurious Warnings Fixed: Addressed some unnecessary warnings (e.g., qm importdisk) (issue 5980).
  • QEMU 9.2 CPU Usage Workaround: Addressed higher CPU usage for Linux guests after the update.
  • Cloning Error Messages: Improved clarity of error messages during cloning failures.
  • Kernel Patch Revert/Backport: Reverted patch hindering Intel Skylake iGPU passthrough; backported patch fixing KVM performance regression on Intel Emerald Rapids.

Containers (LXC)

  • Backup Change Detection Mode: Allow setting the change detection mode for one-shot container backups to Proxmox Backup Server (issue 5936).
  • Nesting Clarity: Creation wizard now makes it clearer that nesting is disabled for privileged containers.
  • API IP Address Return: Interface API endpoint now returns all configured IP addresses for a container (issue 5339).
  • Remote Console Fix: Fixed issue asking for SSH host key trust when opening a console on a different node.
  • Read-Only Mount Options: Ignore conflicting options for read-only mounts to prevent mount failures (issue 5907).

General Improvements for Virtual Guests

  • Remote Migration Enhancements:
    • Allow remote migration of guests with disks on shared storage (RBD, iSCSI).
    • Fixed container remote migration failure when nesting was explicitly set to 0.
    • Fixed offline disk migration failure under certain conditions with target bandwidth limits (issue 6130).

Improved Management for Proxmox VE Clusters

  • pveproxy/pvedaemon Enhancements:
    • Increased max POST request size to 512 KiB (from 64 KiB) to handle large configs like PCI mappings (issue 6230).
    • API handlers now return errors in JSON response body for easier client parsing.
    • Use HTTP 500 instead of 501 where appropriate; include error messages in response body.
    • Reduced redundant disconnect warnings for clients sending no data (issue 4816).
    • Send TLS close notify before closing connections for better client compatibility.
    • Optionally log connecting IP from a header for proxied environments (issue 5699).
  • Notification System Improvements:
    • Allow overriding templates for both plain text and HTML notifications (issue 6143).
    • Streamlined notification templates.
    • Clarified descriptions for notification matcher modes (issue 6088).
    • Fixed error during notification target creation/update.
    • Set Content-Length header for webhook/gotify HTTP requests.
  • InfluxDB Plugin Fix: Corrected issue with incomplete data collection for guests with single numeric tags.
  • Metrics Export Fix: Fixed incorrect iowait data in `/cluster/metrics/export`.
  • API Schema Specification: Improved API response schemas for easier interaction.
  • Corosync Update: Updated to version 3.1.9 with additional hardening patches.
  • pvereport Enhancement: Now displays WWIDs of attached disks for easier multipath troubleshooting.

Backup/Restore

  • External Backup Provider API: Introduced API for third-party backup solution integration.
  • Container Backup Fix: Fixed race condition potentially preventing error propagation during container backups to Proxmox Backup Server.
  • PBS Container Backup Modes Improved:
    • Fixed issue where file size wasn’t considered for metadata comparison, potentially causing restore failures.
  • Fleecing Backup Robustness:
    • Record fleecing image name and clean up leftovers on suitable occasions (e.g., next backup, migration) (issue 5440).
    • Improved error handling and avoidance of stuck guest IO.
  • VM Template VMA Backups: Now use the same backup approach as backups to Proxmox Backup Server.
  • PBS File Restore: Switch to blockdev options when preparing drives for the file restore VM; fixed related regression for namespaces/encryption.

Storage

  • iSCSI Plugin: Reduced frequency of TCP ping connection checks to avoid spurious target-side warnings (issue 957).
  • ESXi Plugin Improvements:
    • Avoided DBUS errors related to match rules (issue 5876).
    • Ensured correct detection of VMDK disk images.
  • OVA/OVF Import Security Fix: Addressed issue allowing potential host file access via crafted OVA appliances (PSA-2024-00013-1).
  • Btrfs Plugin Fixes:
    • Fixed guest migration failure with multiple snapshots on Btrfs (issue 3873).
    • Fixed intermittent error when using ISOs on Btrfs.
  • RBD/iSCSI Caching Fix: Addressed caching issues in these storage plugins (issue 6085).
  • Replication Job Deletion Fix: Ensured disabled replication jobs are correctly deleted.

Ceph

Reminder: Ceph Quincy 17.2 is end-of-life. Upgrade to Ceph Reef or Squid is recommended.

  • GUI Pool Application Column: Added an optional column showing the pool application.
  • Pool Edit Fix: Fixed occasional issue where editing a pool via GUI could set different `size` and `min_size` values.
  • OSD Crash Issue (Squid): Addressed an issue in early Ceph Squid 19.2 versions causing newly created OSDs (especially on EC pools) to crash. A patched version (19.2.1-pve3+) is available. See Known Issues.

Access Control

  • OpenID Connect Realm Improvements:
    • Added support for groups via a configurable `groups-claim` setting (issue 4411). Includes optional automatic creation of non-existent groups.
    • Added option to disable UserInfo endpoint queries for incompatible identity providers (issue 4234).
  • Realm Warning Fixes: Fixed spurious warning with case-insensitive realms (e.g., Active Directory).
  • PAM Password Change Clarification: Clarified that password changes via the PAM realm only affect the local node.

Firewall & Software Defined Networking

  • IPAM/DNS Plugin Security: Added TLS certificate validation for external IPAM/DNS plugins (Tech Preview) (PSA-2025-00006-1). Configuration update might be needed.
  • DHCP Range Overlap: Forbid assigning overlapping DHCP ranges to the same zone, as multiple IPAM backends don’t support this.
  • Netbox IPAM Plugin Rework (Tech Preview): Improved synchronization for address/network deletion and updates; consistent error handling; proper address return on creation (issue 5496). May require DHCP range recreation.
  • PowerDNS Plugin Fix: Corrected handling of DNS name addition for dual-stacked setups/zones.
  • Pending Changes Detection Fix: Fixed issue where boolean settings evaluating to false always showed as pending.
  • Firewall API Option: Added `log_level_format` option (issue 5925).
  • Security Group Rule Generation: Skip generating rules in forward chains for security groups bound to a single interface (preventing errors).
  • proxmox-firewall Alignment: Adapted options/defaults to better align with pve-firewall. Fixed `nf_conntrack_allow_invalid` behavior.
  • Interface Firewall Setting: Treat absent firewall setting for a guest NIC as false (issue 6176).
  • ICMP Rule Fix: Corrected firewall rules for the ICMP protocol (issue 6108).
  • FRR Service Enablement: Ensure FRR service is enabled when (re)started.
  • FRR Update: Updated FRR routing suite from 8.5.2 to 10.2.1. Added option for dummy interfaces as loopback in OpenFabric.

Improved Management of Proxmox VE Nodes

  • GRUB SecureBoot Fixes: Addressed several vulnerabilities (PSA-2025-00005-1). SecureBoot documentation updated with revocation instructions.
  • NVIDIA vGPU Helper Tool: Added `pve-nvidia-vgpu-helper` tool to simplify driver setup.
  • Kernel Backports: Included patches to avoid performance penalty on Raptor Lake CPUs with recent microcode (issue 6065) and fix rare Open vSwitch crashes during ovs-tcpdump exit.
  • ACME DNS Plugins Updated: Updated acme.sh DNS plugins to upstream version 3.1.0.
  • pve7to8 Fix: Fixed spurious broken pipe warning when querying DKMS status.
  • LVM Autoactivation Fix: Ensured LVM autoactivation settings are respected on boot.

Installation ISO

  • Password Length: Increased minimum root password length from 5 to 8 characters (aligns with NIST recommendations).
  • Automated Installer Improvements:
    • More user-visible information on installation failure reasons.
    • Case-insensitive RAID levels in answer file.
    • Prevent printing progress messages when no progress occurs.
    • Correctly honor user preference for reboot on error (issue 5984).
    • Allow binary executables (not just scripts) as first-boot hooks.
    • Allow properties in answer file in `snake_case` or `kebab-case` (`kebab-case` preferred).
    • Validate locale and first-boot-hook settings during ISO prep, not at install time.
    • Option to retrieve FQDN from DHCP server (issue 5811).
    • Option to power off after successful automated installation (issue 5880).
  • Logging/Interface: Prevent non-critical kernel messages from overwriting the TUI installer.
  • Network Configuration:
    • Keep DHCP-detected config in GUI installer even if Next isn’t clicked first (issue 2502).
    • Improved error handling if no DHCP server/lease is found.
    • GUI installer pre-selects first interface if DHCP fails.
    • More sensible fallback values if DHCP fails.
  • FRR Shipping: ISO now ships and installs FRRouting (service disabled by default).
  • ZFS ARC Sizing: Improved maximum ARC size calculation on low-memory systems (ensures at least 1 GiB free). Also applied to additional ZFS storage, not just root (issue 6285).
  • Btrfs Boot Management: Btrfs installations now use `proxmox-boot-tool` for ESP management (issue 5433).
  • GRUB Installation: GRUB now installs directly to the disk to improve bootability if EFI variables are corrupted.
  • GUI Installer Disk Options Fix: Corrected issue showing wrong ext4/xfs options after switching back from Btrfs advanced tab.

Notable Changes

Starting with NVIDIA vGPU Software version 18, Proxmox VE is now an officially supported platform by NVIDIA. Refer to NVIDIA documentation for details on setup and usage.

Known Issues & Breaking Changes

PXE Boot OVMF Requirement

Due to security enhancements, the OVMF firmware now requires a VirtIO RNG device to be present in a VM for PXE boot to function. If you rely on PXE boot with OVMF, ensure you add a VirtIO RNG device to the VM configuration.

Ceph Squid OSD Crash Issue

An issue exists in Ceph Squid versions prior to 19.2.1-pve3 where newly created OSDs (particularly on erasure coded pools) may crash due to a problematic default setting (`bluestore_elastic_shared_blobs`).

  • Solution 1 (Recommended): Upgrade your Ceph Squid cluster to version 19.2.1-pve3 or later. This version includes a workaround.
  • Solution 2 (Manual): Manually change the setting using: `ceph config set osd bluestore_elastic_shared_blobs 0`

Important: If you created new OSDs using Ceph Squid versions 19.2.0-pve1 up to 19.2.1-pve2, you must destroy and recreate each affected OSD one by one (allowing recovery in between) after applying either Solution 1 or Solution 2.

“Download from URL” Proxy Behavior Change

Previously, the “Download from URL” feature only used the configured datacenter proxy for HTTP connections, not HTTPS. In Proxmox VE 8.4, it now correctly uses the proxy for both HTTP and HTTPS connections. This might break setups that relied on the old behavior (e.g., bypassing the proxy for internal HTTPS repositories). Such setups may need to download files manually without using the “Download from URL” feature if the proxy blocks access to the required resource.

SDN IPAM/DNS Plugin TLS Verification

The SDN IPAM/DNS plugin integration (currently Tech Preview) now performs TLS certificate validation for connections to external services, which it did not do previously (PSA-2025-00006-1). Users might encounter verification errors after upgrading if the external service’s certificate is not trusted by the Proxmox VE node.

To fix: Either edit the plugin configuration to provide the SHA-256 fingerprint of the service’s certificate, or ensure the CA signing the certificate is trusted by the Proxmox VE node’s OS.

SDN Netbox IPAM Plugin DHCP Range Recreation

A bug fix in the Netbox IPAM plugin (Tech Preview) corrected how IP Ranges were created in Netbox for DHCP-enabled zones. Existing subnets using Netbox IPAM with DHCP ranges might need adjustment.

Option 1 (Manual): Manually create the required IP Ranges within the Netbox UI (IPAM → IP Ranges).

Option 2 (Proxmox VE Recreate):

  1. Go to SDN → VNets.
  2. Edit the affected Subnet, delete all DHCP ranges, click OK.
  3. Edit the Subnet again, re-create the DHCP ranges, click OK.
  4. Apply the SDN configuration.

The IP ranges should now appear correctly in Netbox.

Further Information

For the complete changelog and future plans, please refer to the official Proxmox VE roadmap:

https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_8.4

EmailFacebookXLinkedIn

Adriana

I have been fascinated by everything to do with technology for many years, especially when it comes to making my own home smarter and more comfortable. For me, a smart home is not just a technical gimmick, but above all a real improvement in quality of life. It all started very small with a networked thermostat, but this little experiment quickly turned into a great passion. My home now comprises a sophisticated system of lighting control, heating automation and security solutions that make my everyday life noticeably easier. For me, a smart home is much more than just technology: it means convenience, sustainability and a real improvement in quality of life. It is particularly important to me that systems are intuitive to use and can be easily integrated into everyday life, regardless of brand or manufacturer. My vision is a home that not only reacts to commands, but also thinks and acts with foresight. I dream of a smart home that saves energy, adapts individually to residents and the environment and always puts people at the center.

Here on my blog, I share personal experiences, helpful tips and interesting insights on the topic of smart homes.
I'm particularly looking forward to exchanging ideas with you, whether you're just starting out with your smart home or are already a real pro.

Do you have any questions, suggestions or just want to chat? Then feel free to write me a comment.

View all posts

Add comment

You may also like

Donations