Rolling Patch Orchestration · Proxmox VE

ProxPatch

Zero-touch node patching for Proxmox clusters by gyptazy.

Automate the most repetitive operational task in Proxmox: keeping cluster nodes updated. ProxPatch drains, migrates, patches, and reboots nodes in a controlled rolling fashion — no downtime, no manual intervention.

↓ Get ProxPatch → How it works
proxpatch — rolling update
$ proxpatch --debug
 
[00:01] Inspecting cluster state...
[00:02] Found 3 nodes: pve-01, pve-02, pve-03
[00:03] ! pve-01 has 12 pending updates
 
[00:04] Draining pve-01...
[00:09] Migrated 4 VMs → pve-02, pve-03
[00:10] Applying updates via SSH...
[00:47] Updates applied, reboot required
[00:48] Rebooting pve-01...
[01:14] pve-01 online, VMs migrating back
 
All nodes up-to-date. Cluster healthy.
0
External Dependencies
Cluster Size Support
1
Tool. One Job. Done Right.
0s
Unnecessary Downtime
Execution Flow

How ProxPatch Works

A predictable, auditable sequence. Every step is transparent and logged — no black boxes.

01
🔍
Inspect Cluster
Queries cluster state via pvesh. Identifies all nodes and their current workloads.
02
📦
Check Updates
Connects via SSH and determines which nodes have pending package updates available.
03
⚙️
Apply Patches
Runs package upgrades on the drained node via SSH. Determines if a reboot is needed.
04
🚚
Migrate VMs
Uses native Proxmox tooling to live-migrate running guests away from the target node. No downtimes!
05
♻️
Reboot & Repeat
Performs controlled reboot if required, waits for node recovery, then repeats for the next node.
Capabilities

Built for Real Clusters

From homelab setups to production environments — ProxPatch is designed to be trusted.

🔄
Rolling Updates

Patches one node at a time while keeping the rest of the cluster fully operational. Guests stay online throughout the entire process.

🛡️
Safety First

Verifies cluster health before touching each node. Never proceeds if the cluster is in a degraded state or quorum is at risk.

🔌
Zero Dependencies

No orchestration frameworks, no external databases, no API tokens. Uses only native Proxmox tools: pvesh, qm, and SSH.

👁️
Fully Observable

Clear execution logs with timestamps at every step. Every decision is visible and auditable — you always know what ProxPatch is doing.

🏠
Homelab to Production

Intentionally minimal and transparent. Works equally well on a 2-node homelab and a 20-node production cluster.

🎯
Smart Reboot Detection

Only reboots when genuinely required. Skips unnecessary restarts if the applied updates don't require a kernel change.

Core Philosophy

One Job.
Done Well.

ProxPatch is not a full lifecycle manager or an HA replacement. It focuses on exactly one task and executes it with precision.

📌 Relationship to ProxLB

ProxPatch started as a planned feature of ProxLB (another tool by gyptazy) — a DRS-like load balancer for Proxmox clusters. However, missing API endpoints for rolling node patching and reboot orchestration made it necessary to build this as a standalone tool. Integrating workarounds into ProxLB would have introduced long-term maintenance risks. So ProxPatch was born as its own focused project.

01
Prefer safety over speed
The cluster must stay healthy. Always.
02
Avoid unnecessary downtime
Only reboot when a reboot is actually needed.
03
Keep the cluster running
No node goes down without a safe landing for its guests.
04
Observable and debuggable
Automation you can read, understand, and trust.
05
Stay lightweight
Dependency-free. Audit-friendly. Easy to modify.
Quick Start

Installation

Add the official repository via gyptazy open-source solutions and install ProxPatch with two commands. No build tools, no runtimes.

1
Add the GPG key
Downloads and installs the signing key from the official gyptazy.com repository to verify package integrity.
2
Register the repository
Adds the official Debian package source for your system and refreshes the package index.
3
Install ProxPatch
Installs the proxpatch package on only one node in the cluster. No external dependencies required — ready to run immediately.
Debian / Proxmox VE compatible
ProxPatch targets Debian bookworm and trixie and is fully compatible with Proxmox VE 8.x and 9.x environments.
bash — install proxpatch
# Add the official gyptazy.com repository
curl https://git.gyptazy.com/api/packages/gyptazy/debian/repository.key \
    -o /etc/apt/keyrings/gyptazy.asc
 
echo "deb [signed-by=/etc/apt/keyrings/gyptazy.asc] \
  https://packages.gyptazy.com/api/packages/gyptazy/debian \
  trixie main" | sudo tee -a \
    /etc/apt/sources.list.d/gyptazy.list
 
apt-get update
 
# Install ProxPatch
apt-get install -y proxpatch
Get Started

Ready to automate
your patch cycles?

Drop the manual drain-migrate-patch-reboot routine. Let ProxPatch handle it while you focus on what matters.

→ View on GitHub 📖 Read the Docs