PegaProx/project-pegaprox v0.9.8

v0.9.8 — Compliance + V2P VirtIO + SSH stabilization

on GitHub

Highlights

🛡️ Compliance Dashboard (new top-level tab)

• Coverage cards for CMMC L1/L2 (FAR 52.204-21, NIST 800-171), NIST 800-53 (Mod), DISA STIG, BSI IT-Grundschutz, ISO 27001 (Annex A), NIS2 / KRITIS, VS-NfD, FIPS 140-3 (informational, with honest "not satisfiable on stock Proxmox" note)
• Per-framework PDF download with disclaimer + per-control matrix
• Cluster-scoped (no SSH fanout across all clusters per tab open)

🪟 Windows V2P — VirtIO driver pre-staging

• Opt-in offline injection of viostor, vioscsi, NetKVM, Balloon, pvpanic, vioserial, viorng before first boot
• Works across LVM / iSCSI, ZFS zvol, Ceph RBD, NFS / CIFS / CephFS qcow2 (storage-aware dispatch via qemu-nbd / rbd map / losetup -b 512)
• Windows boots straight on virtio-scsi-pci — no BSOD, no Safe-Mode driver dance
• ntfsfix handles Fast-Startup hibrid-state, python3-hivex for SYSTEM-hive Services + CriticalDeviceDatabase entries

🔧 Hardening — 9 framework profiles + service-account aware

• Profile selector in Harden PVE Node UI: All / CIS-L1 / CIS-L2 / VS-NfD / BSI / ISO / NIS2 / CMMC L1/L2 / NIST 800-53 / DISA STIG
• root and pegaprox always exempted from pam_faillock / pw_aging / session_limit / inactive_accounts — no more locking PegaProx out of the nodes it manages
• Optional input for additional service accounts (monitoring,backup)
• Live per-control progress: 8/15: ssh_crypto, in-flight spinner, queued / just-applied / failed states

🔐 fail2ban — PVE 8 + PVE 9 compatible

• Auto-detects Debian major version, picks iptables-multiport (D12) or nftables-multiport (D13+)
• systemd backend with journalmatch _COMM=pvedaemon|pveproxy — no /var/log/daemon.log dependency
• Verbose check shows host info + chosen banaction so issues are diagnosable from the UI

🚀 SSH stabilization for big clusters (15+ nodes)

• Phase 1: bounded parallel fanout via utils/concurrent.run_per_node (gevent pool, max 8 workers per cluster). 15-node custom-script: ~75 min worst-case → ~1-2 min.
• Phase 2: OpenSSH ControlMaster + paramiko Transport pool in utils/ssh_pool.py. Verified on real ESXi — cold call 762 ms → warm 195 ms (−74 % latency).
• HA paths intentionally untouched. All _ssh_run_command_* in core/manager.py go their original route (verified by source-grep). HA latency unchanged.
• Graceful fallback: if /run/pegaprox/ socket dir can't be created, ssh runs without sharing.
• ESXi AccountLockFailures lockout risk during V2P now practically eliminated.

🌐 Air-gap mode

• Settings toggle disables update-mirror checks + external CVE lookups
• OpenCollective links + sponsor logos remain visible (they're static hyperlinks, no outbound HTTP)
• For BSI VS-NfD / restricted networks where outbound HTTP is forbidden

🔒 Security fixes

• HIGH (F2 from in-house red-team): iSCSI CHAP setup had shell-injection via f-string interpolation of user-supplied target / portal / username / password into iscsiadm commands. Fixed with strict regex validation + shlex.quote() defense-in-depth.
• Audit log retention configurable (30–3650 days). BSI IT-Grundschutz recommends ≥ 180.

💾 Storage UI improvements

• Shared storage with partial node reachability shows 1/2 nodes badge with "active on pve1, unreachable from pve2" tooltip
• iSCSI raw correctly distinguished from unreachable (active=1, total=0 → raw pill instead of false-positive unreachable)
• Content browsing routes through a reachable node automatically; node switcher in the content header

🌍 i18n

• 7 languages updated: DE / EN / FR / ES / PT / KO / IT
• New keys for compliance dashboard, hardening profiles, air-gap mode, storage states, OC banner

🐛 Other notable fixes

• ESXi keepalive thread (every 4 min) prevents idle SOAP-session timeout — fixes "PegaProx loses ESXi over time" reports
• ESXi auto-reconnects on stale sessions, with cooldown + lock to prevent reconnect storms
• VMware-Manager re-enable preserves config (was wiping host on PUT in 0.9.7)
• Disk-Datastore display: per-node reachability tracked server-side, no more misleading "0 B / 0 B" on shared storage

💎 Sponsors

Massive thanks to our Platinum Sponsor 🏆 netwolk GmbH — your support keeps this project going and directly funds ongoing PegaProx development.

Welcome to our newest Bronze Sponsor 🥉 IDK Manager.

Interested in sponsoring? → pegaprox.com/#sponsor | sponsor@pegaprox.com | opencollective.com/pegaprox

Full changelog: see version.json changelog array.
Upgrade path: in-app updater (Settings → Updates) or bash update.sh from a working install.
Post-upgrade: restart PegaProx service so the new ESXi keepalive + parallel SSH helpers initialize.