Warning
This release has been superseded by v4.24.0-rc.2
rc.1 contains two issues that are fixed in rc.2:
- Setup script menu used confusing [I/r/c] format instead of numbered [1/2/3] options
- Temperature SSH verification endpoint was missing authentication
Please use v4.24.0-rc.2 instead.
Note for RC versions
This is a pre-release version for testing. Consider backing up your Pulse configuration before updating (snapshot for ProxmoxVE, volume backup for Docker, or copy /etc/pulse/ for manual installs).
What's Changed
New Feature: Defense-in-Depth Temperature Monitoring
Background:
Temperature monitoring traditionally uses SSH key authentication—the same trusted method used by infrastructure automation tools like Ansible, Terraform, and SaltStack. This works well for native installations where Pulse runs directly on the host OS.
For containerized deployments, this meant storing SSH keys inside the container. While this is functional and widely used across the industry, it doesn't take full advantage of modern container isolation capabilities. We can do better.
The Architecture: pulse-sensor-proxy
v4.24.0 introduces a new proxy architecture that treats containers as untrusted while keeping the same seamless user experience:
- Host-side proxy service - A minimal Go daemon runs on the Proxmox host with systemd hardening
- Credentials stay on the host - SSH keys live in
/var/lib/pulse-sensor-proxy/ssh/with strict filesystem permissions (0600) - Unix socket communication - Pulse talks to the proxy via socket, authenticated by Linux kernel
SO_PEERCRED(UID/PID verification) - Defense-in-depth SSH restrictions - Keys use forced commands (
command="sensors -j"), no port forwarding, no PTY allocation, IP restrictions - Observability built-in - Prometheus metrics endpoint, structured audit logging with correlation IDs, rate limiting per client
What This Means:
If a container is ever compromised (through any software running in it), there are no cluster credentials to extract. The attack stops at the container boundary. Temperature monitoring continues working—Pulse just talks to a local socket.
Architecture Diagram:
┌─────────────────────────────────────────┐
│ LXC/Docker Container │
│ ┌────────────────────────────────┐ │
│ │ Pulse Backend │ │
│ │ - No SSH keys stored │ │
│ │ - Talks to proxy via socket │ │
│ └────────────────────────────────┘ │
└──────────────┬──────────────────────────┘
│ Unix Socket
│ (SO_PEERCRED auth)
┌──────────────▼──────────────────────────┐
│ Proxmox Host │
│ ┌────────────────────────────────┐ │
│ │ pulse-sensor-proxy service │ │
│ │ - Manages SSH keys │ │
│ │ - Systemd hardening │ │
│ │ - Rate limiting │ │
│ │ - Audit logging │ │
│ └────────────────────────────────┘ │
│ │ │
│ │ SSH (restricted keys) │
│ ▼ │
│ ┌────────────────────────────────┐ │
│ │ Cluster Nodes (pve1, pve2...) │ │
│ │ - sensors -j forced command │ │
│ │ - No port forwarding │ │
│ │ - IP restrictions optional │ │
│ └────────────────────────────────┘ │
└─────────────────────────────────────────┘
What's Included:
- New
pulse-sensor-proxybinary (multi-arch: amd64, arm64, armv7) - Automatic installation during Pulse LXC setup
- Migration guide for existing deployments
- Key rotation script with dry-run and rollback support
- Prometheus metrics endpoint for monitoring
- Comprehensive documentation (security hardening, operations, troubleshooting)
For Existing Deployments:
After updating, containerized installations will see a migration banner with a streamlined upgrade path. The process is straightforward and non-disruptive:
# On your Proxmox host
curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/scripts/install-sensor-proxy.sh | \
bash -s -- --ctid <your-pulse-container-id>This installs the proxy, migrates SSH keys to the host, and updates the container configuration. Temperature monitoring continues working without interruption.
Documentation:
- Security Hardening Guide:
/docs/PULSE_SENSOR_PROXY_HARDENING.md- 960 lines covering systemd security, key rotation, incident response, Prometheus monitoring, and production rollout procedures - Temperature Monitoring:
/docs/TEMPERATURE_MONITORING.md- Updated with proxy architecture details and troubleshooting
Other Improvements
- Multi-architecture Docker agent binaries now included in Docker image (
/opt/pulse/bin/pulse-*) - Enhanced setup script with guided menu for proxy installation/removal
- Automatic SSH key migration during proxy installation
- Legacy deployment detection on health endpoint for smooth transition planning
Installation
Testing v4.24.0-rc.1:
# Install script (ProxmoxVE/LXC/systemd)
curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/install.sh | bash -s -- --version v4.24.0-rc.1
# Docker
docker pull rcourtman/pulse:v4.24.0-rc.1
docker run -d --name pulse -p 7655:7655 -v pulse-data:/etc/pulse rcourtman/pulse:v4.24.0-rc.1Testing Focus Areas
This RC introduces a new defense-in-depth architecture for temperature monitoring. Key areas to test:
- New Installations: Deploy on a fresh LXC container and verify proxy auto-setup works
- Migrations: Existing containerized installs should see migration banner and upgrade smoothly
- Key Rotation: Test the rotation script (
pulse-sensor-proxy-rotate-keys.sh) with--dry-runand actual rotation - Multi-Architecture: Verify Docker deployments work on both x86_64 and ARM Proxmox hosts
- Failure Modes: Stop the proxy service, observe graceful fallback in Pulse logs
- Monitoring: Check Prometheus metrics endpoint at
http://127.0.0.1:9127/metricson proxy host
Notes:
- Native (non-containerized) Pulse installations continue using direct SSH (no proxy needed)
- Standalone Proxmox nodes work but only monitor that single node
- Requires passwordless root SSH between cluster nodes (standard for Proxmox clusters)
Please report any issues or feedback on GitHub before this is promoted to stable 4.24.0.
Downloads
Pre-built binaries available below for linux-amd64, linux-arm64, and linux-armv7.