Deploying Solace — What to Expect

1 What is Solace?

Solace is a support appliance that runs as a VM inside your Proxmox cluster. It provides monitoring, diagnostics, and a secure channel for your support partner to assist you remotely.

The appliance connects outbound to a central headend — no inbound ports are opened on your network. Your support partner can only access your environment when you explicitly grant permission through the Solace web UI.

2 Virtual Machine Requirements

The Solace appliance runs as a standard Linux VM on your Proxmox cluster. Create a VM with the following specs:

The VM needs internet access for initial setup (package installation, Docker image pulls). After installation, it only needs outbound access to three specific endpoints (see Firewall & Network Rules).

3 Choosing a Domain Name

Solace uses a domain suffix for all service URLs. The main web UI is at solace.<domain>, and add-on services like Grafana are at grafana.<domain>, pulse.<domain>, etc.

How it works

You choose a domain suffix. Solace creates subdomains under it:

Requirements for the domain

• Must be resolvable internally — your PVE nodes need to reach solace.<domain> and other service subdomains on your network. If the domain only exists in external DNS, your nodes won't be able to communicate with Solace for metrics or monitoring.
• Should have a public DNS zone — for SSL certificates, the domain's parent zone must be publicly accessible. Solace uses Let's Encrypt with DNS-01 validation, which requires adding a CNAME record in public DNS. If the domain is purely internal (.local, .internal), SSL certificates cannot be issued and the appliance will use self-signed certificates (browser warnings).
• You must be able to modify DNS — you'll need to add a wildcard A record and (for SSL) a CNAME record. If your DNS is managed by a third party and changes take days, plan ahead.

Good domain choices

Common mistakes

4 DNS Changes

Two DNS records are needed:

1. Wildcard A record (required)

Create a wildcard A record pointing to the Solace VM's IP address:

This must be resolvable from your PVE nodes. If you use split-horizon DNS, ensure the internal view also resolves these records.

2. ACME CNAME record (for SSL certificates)

After installation, your support partner will provide a CNAME record to add for SSL certificate validation:

This is a one-time setup. Once added, SSL certificates are issued and renewed automatically.

5 Firewall & Network Rules

Outbound access (from the Solace VM)

Internal access (from the Solace VM)

Internal access (from PVE nodes to Solace VM)

Corporate HTTP Proxy

If your network routes internet traffic through a corporate HTTP proxy, the installer will detect it automatically or prompt for the proxy URL during installation. The proxy is used for outbound connections to the headend, Docker registry, and certificate provider.

The following traffic bypasses the proxy automatically:

• All private network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) — covers Proxmox VE/PBS API access
• Internal Docker services (Vault, databases, monitoring tools)
• VMware vCenter and ESXi connections (used during VM migrations)

6 What Happens During Installation

Your support partner will SSH into the VM and run an automated installer. The process takes approximately 10–15 minutes.

During installation, you'll be asked to choose a LUKS passphrase. This encrypts a secure storage volume on the VM that holds all secrets, certificates, and sensitive configuration.

The installer will:

• Install Docker, HAProxy, and supporting services
• Create a LUKS-encrypted storage volume for secrets
• Deploy the Solace application stack
• Generate self-signed TLS certificates (replaced by Let's Encrypt certs later)
• Configure automatic startup on boot

After installation, your support partner will configure the connection to the headend, add your Proxmox clusters, and install any requested app store services (Grafana, monitoring tools, etc.).

7 What You Get

Once deployed, the Solace web UI is accessible at https://solace.<domain>. Here's what's included:

8 Security Model

• Outbound-only connections — the appliance connects out to the headend. No inbound ports are opened on your network.
• Encrypted at rest — all secrets, tokens, and certificates are stored in a LUKS2-encrypted volume. The passphrase is required at every boot.
• Encrypted in transit — all traffic uses TLS (HTTPS) or SSH. HSTS headers enforce secure connections.
• You control remote access — support tunnels are only active when you request remote support. You can disconnect at any time from the web UI.
• No shared credentials — Solace uses its own dedicated API tokens for PVE and PBS access. It never stores or requires your admin passwords.
• Least-privilege API access — the PVE API token uses a custom SolaceSupport role with Sys.Audit, Sys.Modify, Sys.Syslog, SDN.Audit, Mapping.Modify, Datastore.Audit, VM.Audit, and VM.Migrate privileges. It cannot create, modify, or delete VMs.

What data is sent to the headend?

• Cluster names and node counts (for support context)
• Support requests and diagnostic reports (when you submit them)
• License key registration status

VM configurations, storage data, user credentials, and network details are never sent to the headend.

9 Boot Process & Reboots

When the Solace VM boots (after initial installation, reboots, or power outages), it requires the LUKS passphrase to unlock the encrypted storage before services can start.

1. The VM boots and displays a branded passphrase prompt on the console
2. Enter the LUKS passphrase via the PVE console (VNC or SPICE)
3. The encrypted volume is unlocked and all services start automatically
4. Solace is accessible within about 30 seconds of entering the passphrase

10 Automated Patching (Optional)

Solace includes two levels of patch management:

• Patch Scanning — automatic discovery of pending updates across all nodes with Debian Security Tracker CVE classification. Works immediately with no additional setup.
• Patch Plans — automated rolling upgrades that drain VMs, run apt-get dist-upgrade, reboot nodes one at a time, and return VMs. Requires SSH access from the Solace VM to each PVE node.

What your support partner needs from you

If you want automated patch execution, the following needs to be set up on each PVE node. Your support partner will provide the exact script with the SSH public key pre-filled.

How automated patching works

Nodes are patched one at a time in the order you set. For each node, Solace:

1. Drains VMs off the node (live migration, shutdown, or suspend — configurable per VM)
2. Sets Ceph noout flags to prevent unnecessary rebalancing
3. Runs apt-get dist-upgrade to install all pending updates
4. Reboots the node and waits for it to rejoin the cluster
5. Clears Ceph flags and waits for storage health
6. Returns all VMs to the node

The process is fully automated but can be paused, resumed, or cancelled at any point from the Solace web UI.

11 VMware Migration (Eligible Customers)

For customers migrating from VMware to Proxmox VE, Solace includes a comprehensive migration tool that orchestrates the entire process directly from the appliance. The tool is designed to handle a wide range of scenarios — from fully automated migrations of standard Linux VMs to cautious import-only transfers of critical systems for manual review.

What the migration tool provides

• vCenter & ESXi connectivity — connect to one or more VMware environments with credentials stored securely in the appliance's encrypted Vault
• VM discovery — scan vCenter for VMs with automatic OS detection, resource profiling, and datastore information
• Migration plans — group VMs into plans with configurable NFS paths, network mapping between VMware port groups and PVE bridges, and concurrency controls
• Per-VM migration modes — choose the right approach for each VM:
  • Full Migration — automated guest preparation, power off, disk transfer, VM creation on PVE, start, and verification
  • Offline — for VMs already powered off. Cold disk copy instead of live vMotion
  • No Guest Prep — for appliances or VMs where tool management should be skipped
  • Import Only — create the PVE VM and import disks, but leave it powered off for manual review
• Three-tier credential management — SSH credentials for guest preparation resolve per-VM first, then plan-level, then connection-level
• Pre-flight validation — automated checks cover VMware connectivity, PVE token authentication, NFS paths, network mappings, credential resolution, and SSH reachability before any migration begins
• Live execution dashboard — real-time, step-by-step progress for every VM with retry, skip, and reset controls

Infrastructure requirements

The migration tool requires some infrastructure in place before use:

12 Snapshot Management

The Snapshots page scans all VMs and containers across your clusters for stale snapshots. Stale snapshots waste storage, slow down migrations, and can cause issues during backups.

How it works

• No extra setup required — uses the existing PVE API token
• Scan on demand — click "Scan All" to check every cluster for snapshots
• Age threshold — snapshots older than 7 days are flagged by default
• Dismiss — intentionally long-lived snapshots can be dismissed so they don't count toward stale totals
• Dashboard widget — the main dashboard shows a stale snapshot count with a link to the full page

13 NetBox Integration (Optional)

If you use NetBox for infrastructure documentation, Solace can synchronize your PVE cluster inventory to NetBox. Clusters, nodes, and VMs are mapped to NetBox objects with a review-before-push workflow.

Key features

• Read-only sync — changes are proposed as "pending" for review. Nothing is written to NetBox until you explicitly accept and push.
• Field-level diffs — see exactly what changed (old value → new value) before accepting
• Link to existing — if NetBox already has devices or VMs, link them to PVE objects instead of creating duplicates
• Live browse tree — view PVE data mapped to the NetBox model with sync status indicators
• Automatic resync — after ProxLB migrations or VMware migrations, NetBox sync runs automatically to capture changes

Requirements