It works like a charm under Mac and Ubuntu Linux. However, a different issue when it came to Debian as my new desktop of choice.

Thanks to ChatGPT I’ve been able to fix an issue that has been annoying me for months.

Under Linux, no matter what, NordPass comes as a Snap application. Once you have installed it and start the app, it will take you to the default web browser so you can authenticate yourself in their website.

Once you’re authenticated, you’re offered a link of the form nordpass://vault?action=login&status=done&verify_token=dfc088f3ab8d5be4b554d5d994dffc4cb5c0fb2e676bcf427b6322c4c3bb2f62 that you can open, so it takes you back to the desktop app.

Well, that link does open under Ubuntu, but not under Debian. The reason? This is a custom protocol handler, and my suspicion is that Firefox ESR is not allowed to open external protocol handlers by default.

The steps you have to follow to make that happen are:

1) Check if Debian knows the protocol

Run:

xdg-mime query default x-scheme-handler/nordpass

If nothing is returned → that’s the problem. NordPass hasn’t registered itself properly.

2) — Manually register NordPass as the handler

First find the Snap desktop file:

ls /var/lib/snapd/desktop/applications | grep -i nordpass

You should see something like:

snap.nordpass.nordpass.desktop

Now register it:

xdg-mime default snap.nordpass.nordpass.desktop x-scheme-handler/nordpass

Then update desktop database:

update-desktop-database ~/.local/share/applications

Now test:

xdg-open "nordpass://test"

If NordPass opens → fixed.

3) If it still fails (Snap sandbox issue)

Snap apps sometimes cannot receive custom URL callbacks because of missing portal integration.

Check if the snap has desktop integration:

snap connections nordpass

Look for:

desktop desktop-legacy xdg-desktop-portal

If not connected:

sudo snap connect nordpass:desktop
sudo snap connect nordpass:desktop-legacy

4) Firefox setting check

In Firefox:

• Go to: about:config
• Search: network.protocol-handler.expose.nordpass
• If it exists and is set to true, change it to false.
• If it doesn’t exist, create:
  • Type: Boolean
  • Name: network.protocol-handler.expose.nordpass
  • Value: false
• Restart Firefox.

This tells Firefox it is allowed to open external handlers.

🔎 Why this happens

Snap applications:

• Run sandboxed
• Sometimes fail to register URL schemes properly

Debian 13 is stricter with portals and desktop integration

This is not a NordPass login problem — it’s a custom protocol handler registration issue.

In any case, I want to tell here two main changes I did to my desktop.

GRUB default image

In my personal opinion, the default GRUB background image for Debian 13 is a bit sad.

Thus, the steps I took for changing it for something more close to my taste were:

1) GRUB has some limitations.

✅ Supported formats

• PNG (recommended)
• JPG/JPEG
• TGA

PNG works best.

Using a wallpaper from a Lenovo Thinkpad fan page, I created a customized image for this background. Using GIMP, I created a 1024x768 PNG image, which would suit almost any display at boot time.

You can check your GRUB resolution with:

# grep GRUB_GFXMODE /etc/default/grub

If not set, GRUB may default to something like 1024x768.

You can explicitly set resolution:

GRUB_GFXMODE=1920x1080
GRUB_GFXPAYLOAD_LINUX=keep

2) Place the image in the right place.

# cp mybackground.png /boot/grub

3) Tell GRUB to Use the Image

Edit:

$ sudo nano /etc/default/grub

Add or modify this line:

GRUB_BACKGROUND="/boot/grub/mybackground.png"

Make sure:

• The path is correct
• Quotes are included
• The file exists

4) Update GRUB

After saving:

$ sudo update-grub

This regenerates:

/boot/grub/grub.cfg

Reboot to test.

5) (Optional) Enable Graphics Mode if Needed

If the background doesn’t appear, ensure graphics mode is enabled:

In /etc/default/grub, verify:

GRUB_TERMINAL=console

If it’s set to serial or something else, the background won’t show.

If needed, comment it out:

#GRUB_TERMINAL=console

Then run:

sudo update-grub

LightDM background image

I’m using Xfce for Debian 13 as my default desktop.

LightDM is the [display manager] in place, so here is where we have to configure the background image for the login page.

However, I noticed that there is a easier and more straightforward way of changing the desktop theme, altogether.

Debian comes with a list of desktop themes, that you can see by doing

$ update-alternatives --list desktop-theme
/usr/share/desktop-base/ceratopsian-theme
/usr/share/desktop-base/emerald-theme
/usr/share/desktop-base/futureprototype-theme
/usr/share/desktop-base/homeworld-theme
/usr/share/desktop-base/joy-inksplat-theme
/usr/share/desktop-base/joy-theme
/usr/share/desktop-base/lines-theme
/usr/share/desktop-base/moonlight-theme
/usr/share/desktop-base/softwaves-theme
/usr/share/desktop-base/spacefun-theme

“Ceratopsian” is the one by default, and that is the one that I don’t like.

You can easily go to the folder and see the different images. When you see another that you like, you can just change the default theme, to be system-wide, by doing:

$ sudo update-alternatives --set desktop-theme /usr/share/desktop-base/futureprototype-theme
update-alternatives: using /usr/share/desktop-base/futureprototype-theme to provide /usr/share/desktop-base/active-theme (desktop-theme) in manual mode

If you fancy the GRUB image that comes with your theme, just undo the changes done in the GRUB section of this post. You’ll get the default image that comes with the selected theme.

We’ll be using the in place upgrade method. I’m going to take you through the steps I took to upgrade my home cluster.

Upgrade all nodes to latest minor version

From current major version 8, be sure that all nodes are already on this minor version:

root@pve01:~# pveversion
pve-manager/8.4.14/b502d23c55afcba1 (running kernel: 6.8.12-17-pve)

Check prerequisites

Double check that you have a correct Ceph status (if shared storage is in use) and a healthy PVE cluster, as detailed in the Prerequisites section of the upgrade documentation.

pve8to9 checklist script

Run the script on all nodes prior to start any upgrade. Be sure that you have no errors or hard notices from it.

I had the following message, and similar ones have to be fixed before starting the upgrade:

root@pve01:~# pve8to9 |& grep -i FAIL
FAIL: systemd-boot meta-package installed. This will cause problems on upgrades of other boot-related packages. Remove 'systemd-boot' See https://pve.proxmox.com/wiki/Upgrade_from_8_to_9#sd-boot-warning for more information.
FAILURES: 1

In my case, it was safe to do this on all nodes:

root@pve01:~# apt-get remove systemd-boot
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  proxmox-kernel-6.8.12-13-pve-signed proxmox-kernel-6.8.12-14-pve-signed
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  systemd-boot
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 250 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 80236 files and directories currently installed.)
Removing systemd-boot (252.39-1~deb12u1) ...
Processing triggers for man-db (2.11.2-2) ...

Put a node in maintenance mode

We’ll start performing the upgrade to one node, and we’ll repeat these steps on every node, one at a time. We’ll always wait for the cluster to be 100% available before moving on to the next node upgrade.

To put a node in maintenance mode, go to the shell and do:

root@pve01:~# ha-manager crm-command node-maintenance enable pve01

After VMs and CMs have been migrated, we can see there are none in the node we’re about to upgrade:

root@pve01:~# ha-manager status
quorum OK
master pve03 (active, Tue Dec 23 19:56:08 2025)
lrm pve01 (maintenance mode, Tue Dec 23 19:56:09 2025)
lrm pve02 (active, Tue Dec 23 19:56:07 2025)
lrm pve03 (active, Tue Dec 23 19:56:04 2025)
service vm:100 (pve03, started)
service vm:101 (pve02, started)
service vm:102 (pve02, started)
service vm:104 (pve03, started)
service vm:105 (pve02, started)

Perform software upgrade

This step is split in several sub-steps.

Update Debian Base Repositories to Trixie

Run the following to update the base OS repositories:

root@pve01:~# sed -i 's/bookworm/trixie/g' /etc/apt/sources.list
root@pve01:~# sed -i 's/bookworm/trixie/g' /etc/apt/sources.list.d/pve-enterprise.list

Add the Proxmox VE 9 Package Repository

In my case, I’m using the no-subscription repository, so I do this:

root@pve01:~# cat > /etc/apt/sources.list.d/proxmox.sources << EOF
Types: deb
URIs: http://download.proxmox.com/debian/pve
Suites: trixie
Components: pve-no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
EOF

In any case, double check that you’re not leaving behind traces of Proxmox 8 repositories and that the new ones work, through apt update. There could be some traces in file /etc/apt/sources.list.

Update the Ceph Package Repository

In case you’re using Ceph shared storage, you must also update the Ceph package repository.

In my case, I’m using the no-subscription repository, so I do this:

root@pve01:~# cat > /etc/apt/sources.list.d/ceph.sources << EOF
Types: deb
URIs: http://download.proxmox.com/debian/ceph-squid
Suites: trixie
Components: no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
EOF

Also, I made sure no traces of the previous Ceph repository are there, by doing:

root@pve01:~# rm /etc/apt/sources.list.d/ceph.list 

Refresh package index

Run the command and make sure you don’t have any errors:

root@pve01:~# apt update
Hit:1 http://ftp.es.debian.org/debian trixie InRelease
Hit:2 http://security.debian.org trixie-security InRelease                 
Hit:3 http://ftp.es.debian.org/debian trixie-updates InRelease             
Hit:4 http://security.debian.org/debian-security trixie-security InRelease 
Hit:5 http://download.proxmox.com/debian/ceph-squid trixie InRelease
Hit:6 http://download.proxmox.com/debian/pve trixie InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
639 packages can be upgraded. Run 'apt list --upgradable' to see them.

Upgrade the system to Debian Trixie and Proxmox VE 9.0

The following command could take quite some time, so be aware:

root@pve01:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:

[…]

639 upgraded, 155 newly installed, 61 to remove and 0 not upgraded.
Need to get 886 MB of archives.
After this operation, 1,729 MB of additional disk space will be used.
Do you want to continue? [Y/n] 

Say yes and go ahead with the upgrade.

There will be some questions about configuration changes to be overridden or not by the incoming packages. Answer according to your preferences.

Check Result & Reboot Into Updated Kernel

If the previous command exited without error, you can re-check with pve8to9 and confirm that everything is in place for a reboot.

root@pve01:~# sync ; init 6 ; exit

Post-upgrade actions

When you log in to the upgraded cluster node, please check:

• Cluster status is OK.
• Proxmox VE 9 deprecates HA groups in favor of HA rules. If you are using HA and HA groups, HA groups will be automatically migrated to HA rules once all cluster nodes have been upgraded to Proxmox VE 9.

Now you can disable maintenance mode by doing:

root@pve01:~# ha-manager crm-command node-maintenance disable pve01

Optionally, you can take the change to normalize any package source archive that is still with the old format, by doing:

root@pve01:~# apt modernize-sources
The following files need modernizing:
  - /etc/apt/sources.list
  - /etc/apt/sources.list.d/pve-enterprise.list

Modernizing will replace .list files with the new .sources format,
add Signed-By values where they can be determined automatically,
and save the old files into .list.bak files.

This command supports the 'signed-by' and 'trusted' options. If you
have specified other options inside [] brackets, please transfer them
manually to the output files; see sources.list(5) for a mapping.

For a simulation, respond N in the following prompt.
Rewrite 2 sources? [Y/n] Y
Modernizing /etc/apt/sources.list...
- Writing /etc/apt/sources.list.d/debian.sources

Modernizing /etc/apt/sources.list.d/pve-enterprise.list...

Be aware that any commented entries would be uncommented, so double check with apt update after that and act accordingly.

Wrap up

After you’ve done the upgrade procedure on all nodes, do a few final checks.

Check cluster health:

root@pve03:~# pvecm status
Cluster information
-------------------
Name:             myclust
Config Version:   3
Transport:        knet
Secure auth:      on

Quorum information
------------------
Date:             Wed Dec 24 02:20:02 2025
Quorum provider:  corosync_votequorum
Nodes:            3
Node ID:          0x00000003
Ring ID:          1.20c
Quorate:          Yes

Votequorum information
----------------------
Expected votes:   3
Highest expected: 3
Total votes:      3
Quorum:           2  
Flags:            Quorate 

Membership information
----------------------
    Nodeid      Votes Name
0x00000001          1 192.168.18.131
0x00000002          1 192.168.18.132
0x00000003          1 192.168.18.133 (local)

Check HA status:

root@pve03:~# ha-manager status
quorum OK
master pve02 (active, Wed Dec 24 02:22:06 2025)
lrm pve01 (active, Wed Dec 24 02:22:03 2025)
lrm pve02 (active, Wed Dec 24 02:22:04 2025)
lrm pve03 (active, Wed Dec 24 02:21:59 2025)
service vm:100 (pve03, started)
service vm:101 (pve01, started)
service vm:102 (pve02, started)
service vm:104 (pve03, started)
service vm:105 (pve01, started)

Check Ceph (shared storage) status:

root@pve03:~# pveceph status
  cluster:
    id:     f35872da-c5a3-4599-af36-b99c2b64c0f3
    health: HEALTH_OK
 
  services:
    mon: 3 daemons, quorum pve01,pve02,pve03 (age 16m)
    mgr: pve03(active, since 16m), standbys: pve01, pve02
    osd: 3 osds: 3 up (since 15m), 3 in (since 4M)
 
  data:
    pools:   3 pools, 65 pgs
    objects: 28.56k objects, 106 GiB
    usage:   307 GiB used, 1.8 TiB / 2.1 TiB avail
    pgs:     65 active+clean
 
  io:
    client:   0 B/s rd, 450 KiB/s wr, 0 op/s rd, 91 op/s wr

With that HEALTH_OK, we’re done.

With a Firewire 400 interface, is a 640x480 CCD camera with a max frame rate of 30 fps.

It was perfectly usable with every Mac with a Firewire connector ever since. Or so I thought, until I tried to use it with macOS versions newer than Catalina. Apple removed the support for that, and it’s clear that Opencore Legacy Patcher might not take that back.

Ok, at least I have it working with macOS El Capitán.

But I started wondering … “And what about Linux?”

And yes, I managed to make it work under Linux!

Sound works but video does not

We can just plug the camera and see the stereo input:

root@whisky:~# cat /proc/asound/cards
 0 [iSight         ]: iSight - Apple iSight
                      Apple iSight (GUID 000a27000414c178) at fw1.1, S400
 1 [Intel          ]: HDA-Intel - HDA Intel
                      HDA Intel at 0x8c004000 irq 37

And it showed up in the audio mixer.

However, you try to list V4L devices and you get:

root@whisky:~# v4l2-ctl --list-devices
Cannot open device /dev/video0, exiting.

But video is there

… as long as you can do this and see the video:

manuelmc@whisky:~$ vlc dc1394://

It’s coming from the raw dc1394 source. There is no camera driver, only FireWire access.

Checking driver support

Long story short: Support for FireWire video interfaces in the kernel was deprecated and replaced as part of a large rework of the FireWire stack around the 2.6.37 kernel (released in early 2011).

At that point the old FireWire device drivers (like ohci1394, raw1394, video1394) were replaced with the new unified firewire_core/firewire-ohci stack, and the dedicated legacy iSight video/kernel driver (where present) was abandoned. This change meant that userspace had to handle the camera (via libraries like libdc1394) rather than the kernel exposing it as a native V4L or /dev/video* device driver.

Using another route

After trying to bring back the kernel source tree for 5.8.x and confirming that there is not support for iSight FireWire video (even if you tried to compile it yourself), we started looking in other places.

I managed to get plenty of information thanks to ChatGPT and put it together to compile the following guide.

Apple iSight (FireWire) → V4L2 Bridge on Ubuntu 24.04 (Kernel 6.8) for Zoom/Meet/etc.

This guide explains how to use an Apple iSight FireWire camera on modern Linux (Ubuntu 24.04.3, kernel 6.8) from applications that require a V4L2 webcam such as Zoom, Google Meet, Microsoft Teams, etc.

Your iSight works via libdc1394 (for example, vlc dc1394:// shows live video and the green LED turns on), but it is not exposed as /dev/video* by the kernel. That is expected on modern kernels.

To solve this, we create a virtual V4L2 webcam using v4l2loopback and feed it from the iSight video stream.

What you will build

• Input: Apple iSight FireWire (IIDC / libdc1394)
• Bridge: FFmpeg or GStreamer (depending on availability)
• Output: v4l2loopback virtual webcam (/dev/videoN)
• Result: Applications see a normal V4L2 camera (e.g. iSight-Virtual)

0) Baseline checks (important)

Confirm the camera works via FireWire / dc1394

vlc dc1394://

If you see video and the LED turns green, FireWire and libdc1394 are working.

Confirm there is no native V4L2 device

v4l2-ctl --list-devices

The iSight should not appear here. This is normal.

1) Install required packages (Ubuntu 24.04)

sudo apt update
sudo apt install -y \
  v4l2loopback-dkms v4l2loopback-utils \
  v4l-utils \
  libdc1394-25 \
  vlc

Install FFmpeg (optional, see section 3):

sudo apt install -y ffmpeg

Install GStreamer (recommended fallback and often required on 24.04):

sudo apt install -y \
  gstreamer1.0-tools \
  gstreamer1.0-plugins-base \
  gstreamer1.0-plugins-good \
  gstreamer1.0-plugins-bad \
  gstreamer1.0-plugins-ugly

2) Create the virtual V4L2 webcam (v4l2loopback)

Create one virtual device (example: /dev/video10):

sudo modprobe v4l2loopback \
  video_nr=10 \
  card_label="iSight-Virtual" \
  exclusive_caps=1

Verify it exists:

ls -l /dev/video10
v4l2-ctl --list-devices

You should see iSight-Virtual.

Important note about formats

On some systems, v4l2-ctl -d /dev/video10 --list-formats-ext may show only:

Type: Video Capture

…with no formats listed. This is normal with exclusive_caps=1 and/or with how some apps/drivers query loopback devices. The bridge can still work fine.

Optional: load automatically at boot

echo 'options v4l2loopback video_nr=10 card_label="iSight-Virtual" exclusive_caps=1' | \
  sudo tee /etc/modprobe.d/v4l2loopback-isight.conf

3) OPTION A — Use FFmpeg (ONLY if dc1394 input is supported)

3.1 Check if your FFmpeg supports dc1394

ffmpeg -hide_banner -formats | grep -i 1394

If you see dc1394, you can use FFmpeg.

If you do NOT see dc1394 (common on Ubuntu 24.04), you will get: Unknown input format: 'dc1394' and you must use OPTION B (GStreamer).

3.2 FFmpeg bridge command

ffmpeg \
  -hide_banner -loglevel warning \
  -f dc1394 -framerate 30 -video_size 640x480 -i dc1394:// \
  -vf "format=yuyv422" \
  -f v4l2 /dev/video10

Leave this running while using Zoom / Meet.

4) OPTION B — Use GStreamer (RECOMMENDED / works on Ubuntu 24.04)

This is the preferred and reliable method on Ubuntu 24.04.

4.1 Confirm dc1394src is available

gst-inspect-1.0 dc1394src

If it prints element details, the plugin is available.

4.2 Start the GStreamer → V4L2 bridge (KNOWN-GOOD PIPELINE)

This pipeline is confirmed to work with v4l2loopback when a strict pixel format (e.g. format=YUY2) fails to link:

gst-launch-1.0 -v \
  dc1394src ! \
  videoconvert ! \
  video/x-raw,width=640,height=480,framerate=30/1 ! \
  v4l2sink device=/dev/video10

Leave it running while using your conferencing app.

Why we do NOT force format=YUY2 here

You may see an error like:

could not link videoconvert0 to v4l2sink0, neither element can handle
video/x-raw, format=YUY2, …

This happens because v4l2sink (writing to v4l2loopback) may not accept that exact caps combination on your build. Letting GStreamer negotiate the format is the most portable solution.

4.3 If the image is unstable, try lower frame rate

gst-launch-1.0 -v \
  dc1394src ! \
  videoconvert ! \
  video/x-raw,width=640,height=480,framerate=15/1 ! \
  v4l2sink device=/dev/video10

5) Use the camera in Zoom / Meet / Teams

1. Start one bridge only (FFmpeg or GStreamer).
2. Open Zoom / browser / Teams.
3. Select camera: iSight-Virtual.

6) Troubleshooting

“Device or resource busy”

Only one program can access the camera stream at a time. Close VLC or any other app using the iSight.

Virtual camera not listed

Check:

v4l2-ctl --list-devices

Reload v4l2loopback if needed:

sudo modprobe -r v4l2loopback
sudo modprobe v4l2loopback video_nr=10 card_label="iSight-Virtual" exclusive_caps=1

7) Why this bridge is required (background)

• Apple iSight FireWire is an IIDC camera, not USB UVC.
• Modern Linux kernels do not expose IIDC cameras as V4L2 nodes by default.
• Audio still works via snd-isight, but video is typically user-space only.
• Therefore, a loopback bridge is the correct modern solution.

Quick checklist

• vlc dc1394:// shows live video (baseline)
• /dev/video10 exists (v4l2loopback)
• GStreamer pipeline runs without errors (recommended)
• Zoom/Meet selects iSight-Virtual

Conclusion

On Ubuntu 24.04, GStreamer + v4l2loopback is the most reliable way to use an Apple iSight FireWire camera with modern applications.

FFmpeg can be used only if it was built with dc1394 input support.

Additional script

Keep in mind that you must have the pipeline running before any application tries to use it.

You might want to have a script at hand for turning the camera on when you need it.

cat > ~/isight-autostart.sh <<'EOF'
#!/usr/bin/env bash
set -euo pipefail

DEV=/dev/video10
LABEL="iSight-Virtual"

# Ensure v4l2loopback exists
if [ ! -e "$DEV" ]; then
  sudo modprobe v4l2loopback video_nr=10 card_label="$LABEL" exclusive_caps=1
fi

# Start gstreamer bridge if not running
if ! pgrep -f "gst-launch-1.0.*v4l2sink device=$DEV" >/dev/null 2>&1; then
  nohup gst-launch-1.0 -v \
    dc1394src ! videoconvert ! video/x-raw,width=640,height=480,framerate=30/1 ! \
    v4l2sink device="$DEV" \
    >/tmp/isight-bridge.log 2>&1 &
  sleep 1
fi

# Launch whatever you want
exec "$@"
EOF

chmod +x ~/isight-autostart.sh

Proof of it

Here you have it!

In that, I mentioned about using CephFS. However, right here we’re going to implement persistent storage through Ceph RBD

I’ll use both the documentation about block devices and Kubernetes from Ceph and this Medium post from Fabio Reis.

Storage pool creation

We already have a RBD pool named pool1 in which we allocate storage volumes for Proxmox VMs.

root@pve01:~# ceph osd pool ls detail
pool 1 '.mgr' replicated size 3 min_size 2 crush_rule 0 object_hash rjenkins pg_num 1 pgp_num 1 autoscale_mode on last_change 19 flags hashpspool stripe_width 0 pg_num_max 32 pg_num_min 1 application mgr read_balance_score 3.00
pool 2 'pool1' replicated size 3 min_size 2 crush_rule 0 object_hash rjenkins pg_num 32 pgp_num 32 autoscale_mode on last_change 479 lfor 0/479/477 flags hashpspool,selfmanaged_snaps stripe_width 0 application rbd read_balance_score 1.31

Thus, we’re going to create a separate one for our Kubernetes cluster.

From the same shell in a Proxmox cluster node, let’s create a new pool:

root@pve01:~# ceph osd pool create kubernetes
pool 'kubernetes' created

We need to initialize a newly created pool prior to use:

root@pve01:~# rbd pool init kubernetes

We need to create a new user for Kubernetes and ceph-csi. Execute the following and record the generated key:

root@pve01:~# ceph auth get-or-create client.kubernetes mon 'profile rbd' osd 'profile rbd pool=kubernetes' mgr 'profile rbd pool=kubernetes'
[client.kubernetes]
    key = AQD9o0Fd6hQRChAAt7fMaSZXduT3NWEqylNpmg==

For configuring ceph-csi, we also require a ConfigMap object stored in Kubernetes to define the the Ceph monitor addresses for the Ceph cluster. Collect both the Ceph cluster unique fsid and the monitor addresses:

root@pve01:~# ceph mon dump
epoch 3
fsid b9127830-b0cc-4e34-aa47-9d1a2e9949a8
last_changed 2025-04-16T01:29:22.792421+0200
created 2025-04-15T20:21:39.833395+0200
min_mon_release 19 (squid)
election_strategy: 1
0: [v2:192.168.18.131:3300/0,v1:192.168.18.131:6789/0] mon.pve01
1: [v2:192.168.18.132:3300/0,v1:192.168.18.132:6789/0] mon.pve02
2: [v2:192.168.18.133:3300/0,v1:192.168.18.133:6789/0] mon.pve03
dumped monmap epoch 3

Note: ceph-csi currently only supports the legacy V1 protocol. Hence, we’ll use the v1 addresses with port 6789.

Kubernetes connection to Ceph storage

With all this information, we can now continue with the Ceph document from this point in our Kubernetes cluster, and create the required assets manually.

Or better than that, we can use the ceph-csi-rbd Helm chart together with Terraform and apply something like this:

variables.tf:

variable "k8s_clusters" {
  description = "Kubernetes clusters configuration"
  type = map(object({
    nodes = map(object({
      ip_address = string
      ip_gateway = string
    }))
    ceph = object({
      username      = string
      key           = string
      mon_hosts     = list(string)
      cluster_fsid  = string
      rbd_pool      = string
    })
  }))
  default = {
    k8s01 = {
      nodes = {
        k8s01cp01 = {
          ip_address = "192.168.1.5"
          ip_gateway = "192.168.1.1"
        }
        k8s01cp02 = {
          ip_address = "192.168.1.6"
          ip_gateway = "192.168.1.1"
        }
      }
      ceph = {
        # we omit the client. prefix !
        username = "kubernetes"
        key          = "AQD9o0Fd6hQRChAAt7fMaSZXduT3NWEqylNpmg=="
        mon_hosts    = [
            "192.168.18.131:6789",
            "192.168.18.132:6789",
            "192.168.18.133:6789"
        ]
        cluster_fsid = "b9127830-b0cc-4e34-aa47-9d1a2e9949a8"
        rbd_pool    = "kubernetes"
      }
    }
  }
}

k8s_storage.tf:

resource "kubernetes_namespace" "ceph_csi_rbd" {
  metadata {
    name = "ceph-csi-rbd"
  }
}

resource "helm_release" "ceph_csi_rbd" {
  name       = "ceph-csi-rbd"
  repository = "https://ceph.github.io/csi-charts"
  chart      = "ceph-csi-rbd"
  version    = "3.14.1"
  namespace = kubernetes_namespace.ceph_csi_rbd.metadata[0].name
  values = [
    templatefile("${path.module}/source/helm/ceph/ceph-csi-rbd-values.tpl.yml", {
      ceph_conf = var.k8s_clusters["k8s01"].ceph
    })
  ]
}

The aforementioned ceph-csi-rbd-values.tpl.yml is the default values template you can get from here on that Helm chart.

The keys I’ve customized are:

• csiConfig
• storageClass
• secret

With that, you apply the chart and all resources cited in Ceph docs are created.

Kubernetes storage test

Let’s create a storage volume from inside our Kubernetes cluster:

root@k8s01cp01:~# cat raw-block-pvc.yaml 
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: raw-block-pvc
spec:
  accessModes:
    - ReadWriteOnce
  volumeMode: Block
  resources:
    requests:
      storage: 1Gi
  storageClassName: csi-rbd-sc

root@k8s01cp01:~# kubectl apply -f raw-block-pvc.yaml
persistentvolumeclaim/raw-block-pvc created

root@k8s01cp01:~# kubectl get pvc
NAME            STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
raw-block-pvc   Bound    pvc-18ef4c64-caaf-44e5-a123-6502238a2a1e   1Gi        RWO            csi-rbd-sc     <unset>                 19s

and now we see the volume inside Ceph:

root@pve01:~# rbd ls -p kubernetes
csi-vol-e5fa9aa4-13b9-4f09-a366-91621a34c264

Now, if we remove the volume from Kubernetes:

root@k8s01cp01:~# kubectl delete pvc/raw-block-pvc
persistentvolumeclaim "raw-block-pvc" deleted

… we can confirm that Ceph does not have that anymore:

root@pve01:~# rbd ls -p kubernetes
root@pve01:~# 

Here I’ll put my notes on how to make it work under Linux.

Steps

1. Install the firmware loader for this WWAN modem:

    $ sudo apt install gobi-loader
   

2. Create the folder where we’ll host the firmware files:

    $ sudo mkdir /lib/firmware/gobi
   

3. Now you need the original firmware files. Going to Lenovo Support web site, you can download the required files here. You need to download 7xwc48ww.exe. Install it on a Windows supported system (or at least, extract the files). After that, and following this table, place the files in the folder created in the previous step:

    # cp 0/UQCN.mbn UMTS/amss.mbn UMTS/apps.mbn /lib/firmware/gobi/
   

   I did it with the Vodafone firmware, but your mileage may vary.

4. Reboot your system.

5. If you did it fine, you’ll see the following device now configured:

    $ lsusb | grep Qualcomm
    Bus 002 Device 006: ID 05c6:9205 Qualcomm, Inc. Gobi 2000
   

Additional links to check:

• Qualcomm Gobi 2000. Detailed information coming from ThinkWiki.
• How to set up Gobi 2000 GPS in Linux
• X201 Qualcomm und Win 10. It’s in German. You’ll find there how to get support for this device under Windows 10. I can tell you where to find the file win8beta_7xwc45ww.zip that is also valid to use it under Windows 11.

• 3G embedded support (Qualcomm, Inc. Qualcomm Gobi 2000)
• Lenovo Integrated Webcam
• Upek Biometric Touchchip/Touchstrip Fingerprint Sensor
• Gemalto (was Gemplus) Compact Smart Card Reader Writer

It was cheap, fun to configure and easy to carry whenever I needed to go.

In this post I’m going to describe how I configured the fingerprint sensor.

For Microsoft Windows 11 you don’t have to do anything special, as the device is automatically configured. You just go to your user preferences and add fingerprint logging and follow the procedure to enroll your fingerprint(s).

For Debian 12, I’ll describe the quick procedure below. But before that, please let me cite the original blog entry of the device driver author here.

Now with the procedure:

1. Install some Debian packages:

    $ sudo apt install fprintd libpam-fprintd
   

2. Configure PAM (Pluggable Authentication Modules):

    $ sudo pam-auth-update
   

   In the PAM configuration menu, select “Fingerprint authentication” and click OK.

    [*] Fingerprint authentication
    [*] Unix authentication
    [*] Register user sessions in the systemd control group hierarchy
    [ ] Create home directory on login
    [*] GNOME Keyring Daemon - Login keyring management
   
    <Ok>    <Cancel>
   

3. Enroll Your Fingerprint. After restarting your system, you should be able to enroll your fingerprint. Use the fprint-enroll tool or a graphical interface (if available) to enroll your fingerprint.

    $ fprintd-enroll 
    Using device /net/reactivated/Fprint/Device/0
    Enrolling right-index-finger finger.
    Enroll result: enroll-stage-passed
    Enroll result: enroll-stage-passed
    Enroll result: enroll-stage-passed
    Enroll result: enroll-stage-passed
    Enroll result: enroll-stage-passed
    Enroll result: enroll-completed
   

   You will need several passes for the fingerprint to be completely enrolled. Repeat until you see the last message.

4. Now you can log in to your system using your login manager, like LightDM in my case. Also, you can use your fingerprint to authenticate yourself in other situations:

    $ sudo su -
    Swipe your right index finger across the fingerprint reader
    # 
   

5. Optionally, you can enroll other fingerprints or manage them through command-line utilities:

    $ fprintd-list manuelmc
    found 1 devices
    Device at /net/reactivated/Fprint/Device/0
    Using device /net/reactivated/Fprint/Device/0
    Fingerprints for user manuelmc on Upek TouchChip Fingerprint Coprocessor (swipe):
    \- #0: right-index-finger
   

1. First and foremost, if you haven’t already, let’s install RVM: For the current user (no system-wide installation), you have to:

    \curl -sSL https://get.rvm.io | bash -s stable --ruby
   

2. Once you have RVM installed, we’ll request the installation of an old Ruby version, with its quirks and things:

    $ rvm pkg install openssl
   

3. With that dependency installed, we’re now able to install the selected Ruby version with OpenSSL support:

    $ rvm install ruby-3.0.5 --with-openssl-dir=$HOME/.rvm/usr
   

   It will take a while.

4. With the version installed, let’s install Bundler:

    $ rvm all do gem install bundler
   

5. Let’s use the newly installed Ruby version:

    $ rvm use ruby-3.0.5
   
    RVM is not a function, selecting rubies with 'rvm use ...' will not work.
   
    You need to change your terminal emulator preferences to allow login shell.
    Sometimes it is required to use `/bin/bash --login` as the command.
    Please visit https://rvm.io/integration/gnome-terminal/ for an example.
   

   Oops! It looks we need to allow login shell for the macros to work:

    $ bash --login
    $ rvm use ruby-3.0.5
    Using /home/manuelmc/.rvm/gems/ruby-3.0.5
   

Now we have a working cluster, where we can start virtual hosts and LXC containers. However, the storage is local to each node.

What we’ll achieve next is to incorporate shared storage to this cluster.

As a starting point, I used this blog post from Lobobrothers (it’s in Spanish).

The steps I followed:

1. If you installed Proxmox with a single disk, and left enough disk space in the installation process (see previous post), here is the time to partition that space to make it available for Ceph:

   See the current configuration:

    root@pve01:~# fdisk /dev/nvme0n1
   
    Welcome to fdisk (util-linux 2.38.1).
    Changes will remain in memory only, until you decide to write them.
    Be careful before using the write command.
   
    This disk is currently in use - repartitioning is probably a bad idea.
    It's recommended to umount all file systems, and swapoff all swap
    partitions on this disk.
   
   
    Command (m for help): p
   
    Disk /dev/nvme0n1: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
    Disk model: KINGSTON SNV3S1000G                     
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: gpt
    Disk identifier: 712DDA48-E2CF-4783-AEAD-5103BB5DAD17
   
    Device             Start        End    Sectors   Size Type
    /dev/nvme0n1p1        34       2047       2014  1007K BIOS boot
    /dev/nvme0n1p2      2048    2099199    2097152     1G EFI System
    /dev/nvme0n1p3   2099200  421529599  419430400   200G Linux LVM
   
    Command (m for help): 
   

   Create a new partition:

    Command (m for help): n
    Partition number (4-128, default 4): 
    First sector (2099200-421529599, default 2099200): 
    Last sector, +/-sectors or +/-size{K,M,G,T,P} (2099200-421529599, default 421529599): 
   
    Created a new partition 4 of type 'Linux filesystem' and of size 730.5 GiB.
   
    Command (m for help): w
    The partition table has been altered.
    Syncing disks.
   

2. After loggin in to the admin console, I click on Datacenter -> Ceph. And we receive this message: So we accept.

3. We’re offered a screen to select which version to install: After selecting the latest non-subscription version, we click on Start squid installation.

4. Once we finish the installation, click on Next. Select the network for Ceph to use:

5. Installation of Ceph in the first node is done.

6. As we’ve been told, we’ll repeat the steps in the nodes pve02 and pve03.

7. Now, for each of the nodes, we click on Ceph -> OSD -> Create: OSD:

8. Again, for each of the nodes, we click on Ceph -> Monitor -> Create:

9. For nodes pve02 and pve03 we’ll create additional manager processes, by clicking on Ceph -> Monitor -> Manager -> Create:

10. Now, if you were hosting different storage types, you would want to establish a new set of CRUSH rules for the OSDs. If you have a single storage space per node and OSD, you can safely skip this step.

In a case you wanted to have Ceph with different set of disks per node, like spinning, SSD, or a bunch of disks to be split in different groups, please go ahead and check Ceph CRUSH & Device Classes section of the documentation.

1. If we now click on Ceph -> OSD we can see something like this:

2. Now it’s time for create a Ceph pool, where virtual machines will be stored. Go ahead and click on Ceph -> Pools -> Create:

3. We can check under Datacenter -> Storage that we do have pool1 available for shared storage:

Now we’re ready to create a new virtual machine in the Ceph shared storage.

From here on, these are optional steps.

If you plan to use Ceph CSI in your Kubernetes cluster, with CephFS, you must add now at least one Ceph Metadata Server.

1. You can create an MDS through the Proxmox VE web GUI’s Node -> CephFS panel -> Create:

2. In the dialog box, confirm the creation of the first metadata server:

   You can create more servers, and it is a good thing to do, but be aware that only one will be active and the rest of them will be standby servers.

3. Let’s do the same with the second and third node, selecting each node and naming the new metadata servers accordingly:

   

4. Now, and before you create any Ceph FS, the status of all MDS is standby:

We’ll take care of creating a Ceph FS in a separate post, together with its use case.

Nowadays you can think about having a small cluster in your cloud provider of choice. Even if you automate the creation and destroy of such lab through IaC, you’ll incur in costs that might end being a real burden.

What about a dedicated server? Even the cheapest ones are either not big enough or you have to pay extra to have proper storage.

And what about using real hardware and hosting it at home? Well, I checked some second-hand carrier-grade hardware providers and they offer you really affordable solutions. See Give1life, Jet Computer or Serverando, but there are many others.

As familiar as I am with the hosting and datacenter world, there are three limiting factors in this solution: noise, heat and electric power. Yes, they’re affordable and reliable. But you’ll need a room for that purpose. As I don’t plan on having one, let’s check another solution that came to me.

Configuration selection

Compute platform

There is a new trend of small factor PCs, called mini PC that are very handy when you lack proper desktop space. Not only they’re small, but also very energy efficient.

For a small desktop PC to browse the web and do basic daily chores, they were fine. However, right now, you can find a very wide variety of options. Some of them are not so basic.

Some friends talked me into checking the Intel N100 CPU from Intel’s 12th gen Alder Lake architecture. Indeed, very power savvy (between 6 and 12 watt), but also very capable (4 CPU cores up to 3.4 GHz).

Theoretically they’re able to handle up to 16 GBytes of RAM. That is more than enough for a low cost PC. You can even use it as a workstation, if you stretch the concept a bit.

They made me be interested and I already put my eyes on the Texhoo QN10 mini PC. Please do not be mislead by the QN10 SE model.

As I was about to settle with the idea of a 16 GB RAM configuration, with dual 2.5 Gbit ethernet interface, multiple USB ports, WIFI6 etcetera, I bumped into this blog post stating that there was a stable 32 GBytes RAM configuration.

For every cluster node, I bought one Crucial RAM DDR5 32GB 5600MHz SODIMM CL46 - CT32G56C46S5 module, as suggested by Stepyon in the blog, and one Kingston NV3 NVMe PCIe 4.0 SSD Internal 1TB M.2 2280-SNV3S/1000G , which have a reasonable price-quality ratio.

Remember that you have to explicitly enable the virtualization options in your BIOS. I also recommend to set up power management so the mini-pc returns to previous state after a power outage.

Networking

Let’s select some interconnect hardware on a budget. I opted for a non-managed solution that has passive heat sink: Tenda TEM2010X 8 x 2.5Gbit port switch.

Proxmox installation

Software installation

In order to install Proxmox we selected version 8.3.1 ISO and downloaded it from their downloads page.

It is very straight-forward, but I’ll go quickly through the steps for a standalone installation here:

• First, you can settle with the standard installation option:

• Then you’re asked to accept the license:

• Now you are presented with the Proxmox HD selection dialog:

• Here you have two options:
  1. If you either don’t plan on creating a Ceph cluster, or you plan to do it with a secondary disk, just click on OK and leave the default options (ext4 FS).
  2. If you want to use part of the only disk we have for Ceph, please click on Options and reduce the size as stated below:

  Now accept and continue with the next step.

• In this step you adjust your locale options:

• Here you’ll set up a password for the root user, or administrator user of the node, and a email address for notifications:

• Here we’ll set up an IP address for the management interface. We can only setup one single network interface here, but this could be changed later:

• Before we continue, we are shown the summary of our configuration. If you agree, go ahead:

• During the next two or three minutes, you’ll be amused with some advertisement while the packages are installed:

• If you selected the option for automatic reboot after installation, you will see this screen after reboot:

• And finally, after a few seconds, you have the login screen:

Basic setup of a node

Once you have a node correctly installed, you can access it via web, as suggested by the console prompt shown before.

• You’ll get the login page, so please, log in:

• Once you log in for the first time, you’ll be warned about not having an enterprise license installed.

• After dismissing the warning, you’ll get to the main admin view:

• In order to add the free repositories, we’ll access pve01 (this node) -> Updates -> Repositories:

(and yes, we’ve already made some tests :smirk: )

• Here, we’ll disable these two:
  • Enterprise Proxmox
  • Ceph Quincy Enterprise
• And we’ll add these two:
  • Proxmox PVE no subscription
  • Ceph Quincy no subscription
• You have now the following options on screen:

• Let’s configure network now in order to use the two 2.5 Gbit interfaces instead of one. We can do this through the web interface and apply changes once we agree to them. Here’s what we need to do:
  • Click on pve01 node, then System -> Network.
  • Delete current bridge. Click on vmbr0 and then Remove
  • Click on Create -> Linux bond
    • Name: bond0
    • Slaves: enp2s0 enp3s0 (the two wired network interfaces)
    • Mode: balance-alb . See here for more details. This is the best configuration if you don’t have a LACP capable network switch.
    • Click on Create button.
  • Now click on Create -> Linux bridge. Fill the dialog with this:
    • Name: vmbr0
    • Bridge ports: bond0 .
    • IPv4/CIDR: 192.168.18.131/24 . Same network address you used before, including network mask.
    • Gateway (IPv4): 192.168.18.1 . Same gateway as in the previous configuration.
    • Click on Create button.
  • The changes are previewed and you can go through them before confirming:

• If you agree, click on Apply configuration.

Cluster creation

Once the three nodes are online and able to talk to each other through the network, we’ll double check the requirements for creating the Proxmox cluster.

Now, for a change, we’re going to create the cluster via command-line, following the steps detailed in the docs:

1. Create the cluster. From the first node, we create the cluster:

    root@pve01:~# pvecm create tejar
    Corosync Cluster Engine Authentication key generator.
    Gathering 2048 bits for key from /dev/urandom.
    Writing corosync key to /etc/corosync/authkey.
    Writing corosync config to /etc/pve/corosync.conf
    Restart corosync and cluster filesystem
   

   We check the current status:

    root@pve01:~# pvecm status
    Cluster information
    -------------------
    Name:             tejar
    Config Version:   1
    Transport:        knet
    Secure auth:      on
   
    Quorum information
    ------------------
    Date:             Tue Apr 15 01:06:31 2025
    Quorum provider:  corosync_votequorum
    Nodes:            1
    Node ID:          0x00000001
    Ring ID:          1.5
    Quorate:          Yes
   
    Votequorum information
    ----------------------
    Expected votes:   1
    Highest expected: 1
    Total votes:      1
    Quorum:           1  
    Flags:            Quorate 
   
    Membership information
    ----------------------
        Nodeid      Votes Name
    0x00000001          1 192.168.18.131 (local)
   

2. Add second (and subsequent) node(s): Log in to the new node you want to join the cluster and do:

    root@pve02:~# pvecm add 192.168.18.131
    Please enter superuser (root) password for '192.168.18.131': ***********
    Establishing API connection with host '192.168.18.131'
    The authenticity of host '192.168.18.131' can't be established.
    X509 SHA256 key fingerprint is 80:EC:8B:A3:1F:B0:41:C6:F3:5C:E2:7A:47:6C:66:EE:12:DD:B9:EF:CE:0D:43:85:6A:70:A6:92:A7:DA:0F:27.
    Are you sure you want to continue connecting (yes/no)? yes
    Login succeeded.
    check cluster join API version
    No cluster network links passed explicitly, fallback to local node IP '192.168.18.132'
    Request addition of this node
    Join request OK, finishing setup locally
    stopping pve-cluster service
    backup old database to '/var/lib/pve-cluster/backup/config-1744672204.sql.gz'
    waiting for quorum...OK
    (re)generate node files
    generate new node certificate
    merge authorized SSH keys
    generated new node certificate, restart pveproxy and pvedaemon services
    successfully added node 'pve02' to cluster.
   

   In the command above we’ve used the IP address of an existing cluster node.

3. Repeat the previous step with the third and subsequent nodes to join the cluster.

4. Check cluster status:

    root@pve03:~# pvecm status
    Cluster information
    -------------------
    Name:             tejar
    Config Version:   3
    Transport:        knet
    Secure auth:      on
   
    Quorum information
    ------------------
    Date:             Tue Apr 15 01:14:00 2025
    Quorum provider:  corosync_votequorum
    Nodes:            3
    Node ID:          0x00000003
    Ring ID:          1.d
    Quorate:          Yes
   
    Votequorum information
    ----------------------
    Expected votes:   3
    Highest expected: 3
    Total votes:      3
    Quorum:           2  
    Flags:            Quorate 
   
    Membership information
    ----------------------
        Nodeid      Votes Name
    0x00000001          1 192.168.18.131
    0x00000002          1 192.168.18.132
    0x00000003          1 192.168.18.133 (local)
   

Wrap-up

We have a working Proxmox cluster with three nodes. In upcoming posts we’ll deal with Ceph shared storage configuration and other minor issues.