github fabriziosalmi/proxmox-lxc-autoscale v2.0.0
on GitHub

7 hours ago

v2.0.0 — Async Architecture, Dual CLI/API Backend, Security Hardening

Complete rewrite of the autoscaling daemon. 32 files changed, 4154 insertions, 1770 deletions.

Architecture

  • Entire daemon migrated to asyncio event loop
  • Pydantic v2 configuration models with type validation and threshold enforcement
  • ProxmoxBackend abstraction with CLIBackend (pct commands via local/SSH) and RESTBackend (Proxmox REST API via proxmoxer)
  • AsyncSSHPool connection pool replaces global SSH client singleton
  • ${ENV_VAR} and ${ENV_VAR:-default} expansion in YAML configuration values

Security

  • SSH default policy changed from AutoAddPolicy (accept all) to RejectPolicy (verify host keys)
  • StrictHostKeyChecking=no removed from Docker entrypoint, known_hosts file required
  • Command injection vector in CPU pinning eliminated (native Python file I/O replaces sh -c with f-strings)
  • SecretMaskingFilter redacts passwords, tokens, and API keys from all log output
  • ssh_host_key_policy=auto deprecated with explicit security warning at startup
  • Non-root Docker user available for API-only deployments (LXC_RUN_AS_ROOT=false)
  • Password authentication via sshpass uses environment variable (-e) instead of command line (-p)

Performance

  • Zero-sleep CPU measurement: first cycle stores raw cgroup sample, delta computed on second cycle
  • Memory read from host-side cgroup (memory.current/memory.max) instead of pct exec into containers
  • Core count and CPU pinning state cached in-memory, redundant pct config calls eliminated
  • Backup file writes skipped when container settings are unchanged
  • Notifications dispatched as fire-and-forget async tasks via asyncio.to_thread
  • Shared requests.Session with connection pooling for HTTP notifiers
  • Notification backoff after 3 consecutive failures
  • JSON log rotation at 10MB with persistent line-buffered file handle

Error Handling

  • All bare except Exception blocks replaced with specific exception types

Testing

  • 187 tests (was 6), 57% coverage overall, core modules 70-98%
  • Test suites: config validation, backend abstraction, scaling logic, security hardening, notifications, async command execution, cgroup parsing

Dependencies

  • Added: pydantic>=2.0 (required)
  • Optional: proxmoxer>=2.0 (for REST API backend)

Breaking Changes

  • SSH default policy changed from auto (accept all) to reject (verify host keys)
  • Python 3.9+ required (zoneinfo module)
  • Docker entrypoint requires known_hosts file (auto-generated via ssh-keyscan on first boot, or mount your own)

See CHANGELOG.md for the full list of changes.

Check out latest releases or
releases around fabriziosalmi/proxmox-lxc-autoscale v2.0.0

Don't miss a new proxmox-lxc-autoscale release

NewReleases is sending notifications on new releases.

Get notifications