Rolling Patch Orchestration · Proxmox VE

ProxPatch

Zero-touch node patching for Proxmox clusters by gyptazy.

Automate the most repetitive operational task in Proxmox: keeping cluster nodes updated. ProxPatch drains, migrates, patches, and reboots nodes in a controlled rolling fashion — no downtime, no manual intervention.

↓ Get ProxPatch → How it works
proxpatch — rolling update
$ proxpatch --debug
 
[00:01] Inspecting cluster state...
[00:02] Found 3 nodes: pve-01, pve-02, pve-03
[00:03] ! pve-01 has 12 pending updates
 
[00:04] Draining pve-01...
[00:09] Migrated 4 VMs from pve-01 → pve-02, pve-03
[00:10] Applying updates on pve-01...
[00:47] Updates applied, reboot required for pve-01
[00:48] Rebooting pve-01...
[01:14] pve-01 online, VMs migrating back
 
All nodes up-to-date. Cluster healthy.
0
External Dependencies
Cluster Size Support
1
Tool. One Job. Done Right.
0s
Unnecessary Downtime
Execution Flow

How ProxPatch Works

A predictable, auditable sequence. Every step is transparent and logged — no black boxes.

01
🔍
Inspect Cluster
Queries cluster state via pvesh. Identifies all nodes and their current workloads. Plays together with ProxLB!
02
📦
Check Updates
Connects via SSH and determines which nodes have pending package updates available.
03
⚙️
Apply Patches
Runs package upgrades on the drained node via SSH. Determines if a reboot is needed.
04
🚚
Migrate VMs
Uses native Proxmox tooling to live-migrate running guests away from the target node. No downtimes!
05
♻️
Reboot & Repeat
Performs controlled reboot if required, waits for node recovery, then repeats for the next node.
Capabilities

Built for Real Clusters

From homelab setups to production environments — ProxPatch is designed to be trusted.

🔄
Rolling Updates

Patches one node at a time while keeping the rest of the cluster fully operational. Guests stay online throughout the entire process.

🛡️
Safety First

Verifies cluster health before touching each node. Never proceeds if the cluster is in a degraded state or quorum is at risk.

🔌
Zero Dependencies

No orchestration frameworks, no external databases, no API tokens. Uses only native Proxmox tools: pvesh, qm, and SSH.

👁️
Fully Observable

Clear execution logs with timestamps at every step. Every decision is visible and auditable — you always know what ProxPatch is doing.

🏠
Homelab to Production

Intentionally minimal and transparent. Works equally well on a 2-node homelab and a 20-node production cluster.

🎯
Smart Reboot Detection

Only reboots when genuinely required. Skips unnecessary restarts if the applied updates don't require a kernel change.

Core Philosophy

One Job.
Done Well.

ProxPatch is not a full lifecycle manager or an HA replacement. It focuses on exactly one task and executes it with precision.

📌 Relationship to ProxLB

ProxPatch started as a planned feature of ProxLB (another tool by gyptazy) — a DRS-like load balancer for Proxmox clusters. However, missing API endpoints for rolling node patching and reboot orchestration made it necessary to build this as a standalone tool. Integrating workarounds into ProxLB would have introduced long-term maintenance risks. So ProxPatch was born as its own focused project with plays nicely together with ProxLB.

01
Prefer safety over speed
The cluster must stay healthy. Always.
02
Avoid unnecessary downtime
Only reboot when a reboot is actually needed.
03
Keep the cluster running
No node goes down without a safe landing for its guests.
04
Observable and debuggable
Automation you can read, understand, and trust.
05
Stay lightweight
Dependency-free. Audit-friendly. Easy to modify.
Quick Start

Installation

Add the official repository via gyptazy open-source solutions and install ProxPatch with two commands. No build tools, no runtimes.

1
Add the GPG key
Downloads and installs the signing key from the official gyptazy.com repository to verify package integrity.
2
Register the repository
Adds the official Debian package source for your system and refreshes the package index.
3
Install ProxPatch
Installs the proxpatch package on only one node in the cluster. No external dependencies required — ready to run immediately.
Debian / Proxmox VE compatible
ProxPatch targets Debian bookworm and trixie and is fully compatible with Proxmox VE 8.x and 9.x environments.
bash — install proxpatch
# Add the official gyptazy.com repository
curl https://git.gyptazy.com/api/packages/gyptazy/debian/repository.key \
    -o /etc/apt/keyrings/gyptazy.asc
 
echo "deb [signed-by=/etc/apt/keyrings/gyptazy.asc] \
  https://packages.gyptazy.com/api/packages/gyptazy/debian \
  trixie main" | sudo tee -a \
    /etc/apt/sources.list.d/gyptazy.list
 
apt-get update
 
# Install ProxPatch
apt-get install -y proxpatch
Get Started

Ready to automate
your patch cycles?

Drop the manual drain-migrate-patch-reboot routine. Let ProxPatch handle it while you focus on what matters.

→ View on GitHub 📖 Read the Docs