中文 English

Stop Clicking Through VMs: A Hands-On Guide to Connecting Proxmox VE to an AI Agent Safely

Published: 2026-07-11
Proxmox VE AI Agent MCP Virtualization API Token Automation Security

Connecting an AI agent to Proxmox VE sounds like giving a robot administrator the keys to your datacenter. That is exactly what you should not do. The safe starting point is a dedicated, revocable, read-only API token, a locally running MCP server, and a clear approval boundary for every write operation. This guide explains the architecture, shows manual and agent-assisted setup, and provides one-click installers for Windows 11, Ubuntu 26.04, and macOS 26.

Proxmox VE connected to an AI agent

The short answer

What Proxmox VE is

Proxmox Virtual Environment, usually called Proxmox VE or PVE, combines a web interface, command-line tools, and a REST API for managing virtualization infrastructure. It can run full KVM guests, lightweight LXC containers, multiple storage backends, software-defined networking, backups, snapshots, high availability, and clusters.

Think of a Proxmox cluster as a school campus. Physical servers are buildings, VMs are classrooms, storage is the warehouse, and networks are corridors. Proxmox VE is the facilities office that knows where everything is and whether it is healthy.

As of July 2026, the official download page offers Proxmox VE 9.2. Always verify the current release and compatibility before upgrading a real cluster.

Official Proxmox VE 9.2 datacenter dashboard screenshot

Official Proxmox VE 9.2 screenshot with environment-specific names blurred.

Why connect it to an AI agent

Routine infrastructure work is often repetitive: inspect nodes, count stopped guests, check storage, review backup failures, and summarize risks. An agent can turn a natural-language request into several structured, read-only queries:

Group stopped guests by node, check storage utilization, summarize risks, and do not change anything.

The model is not directly logging into Proxmox. The AI agent selects tools, the MCP server calls the API, Proxmox validates the token, and the agent summarizes the returned data.

It is similar to ordering food. You describe what you want to a waiter, the waiter sends a structured order to the kitchen, and an employee badge controls which doors the waiter can open. The API token is that badge.

Why MCP fits

Model Context Protocol gives agents a consistent way to discover and call external tools. Instead of writing a unique integration for every agent, an MCP server describes its tools, input schemas, and outputs.

This article uses the open-source Node.js project gilby125/mcp-proxmox. It is read-only by default, requires explicit opt-in for elevated tools, and supports node and VMID allowlists. I ran its current unit-test suite locally: all 61 tests passed. I also verified its stdio tool-discovery response. I did not fabricate a live query against a reader’s private cluster; the final cluster validation must run inside your own network.

Real screenshot of the Proxmox MCP repository

The request path

AI agent, MCP server, token, and Proxmox VE request path

A read-only request follows these steps:

Each layer can be revoked independently. That is much safer than storing an administrator password in a prompt or shell history.

Start read-only

Use a staged permission model:

Layered permission model

An agent should have less privilege than an on-call administrator, not more. If you temporarily use PROXMOX_VERIFY_TLS=false for a trusted internal self-signed certificate, plan to install a trusted certificate and turn verification on.

Create a read-only API token

Web interface

Open Datacenter → Permissions → Users and create a dedicated user such as ai-agent@pve. Then open Datacenter → Permissions → API Tokens, create a token named mcp, and keep privilege separation enabled. Save the secret immediately; it is normally shown only once.

Finally, grant the token PVEAuditor at /, /vms, or a narrower pool path. A narrower path reduces the blast radius.

Shell commands

pveum user add 'ai-agent@pve' --comment 'Read-only AI Agent'
pveum user token add 'ai-agent@pve' 'mcp' --privsep 1
pveum acl modify / -token 'ai-agent@pve!mcp' -role PVEAuditor
pveum user token permissions 'ai-agent@pve' 'mcp'

The token-creation command prints the secret. Store it securely and avoid terminal recordings, screenshots, chat messages, and Git commits.

Real screenshot of the official Proxmox VE API Viewer

Manual MCP installation

Install Node.js 20 or newer, then run:

git clone https://github.com/gilby125/mcp-proxmox.git
cd mcp-proxmox
npm install
npm test

Test tool discovery:

printf '{"jsonrpc":"2.0","id":1,"method":"tools/list"}\n' \
  | PROXMOX_HOST='<PVE_HOST>' \
    PROXMOX_TOKEN_VALUE='<TOKEN_SECRET>' \
    node index.js

Then add the server to an MCP-compatible client:

{
  "mcpServers": {
    "proxmox": {
      "command": "node",
      "args": ["<ABSOLUTE_PATH>/mcp-proxmox/index.js"],
      "env": {
        "PROXMOX_HOST": "<PVE_HOST>",
        "PROXMOX_USER": "ai-agent@pve",
        "PROXMOX_TOKEN_NAME": "mcp",
        "PROXMOX_TOKEN_VALUE": "<TOKEN_SECRET>",
        "PROXMOX_ALLOW_ELEVATED": "false",
        "PROXMOX_VERIFY_TLS": "false"
      }
    }
  }
}

Protect the configuration because it contains the token secret. Use chmod 600 <CONFIG_FILE> on Linux and macOS, or restrict the Windows ACL to your own account.

One-click installers

The scripts install local prerequisites, clone the MCP server, install dependencies, ask for the token interactively, and update a common MCP client configuration without enabling elevated mode.

Windows 11

Download the PowerShell installer

Set-ExecutionPolicy -Scope Process Bypass
.\install-proxmox-agent-windows11.ps1

Ubuntu 26.04

Download the Ubuntu installer

chmod +x install-proxmox-agent-ubuntu-2604.sh
./install-proxmox-agent-ubuntu-2604.sh

macOS 26

Download the macOS installer

chmod +x install-proxmox-agent-macos.sh
./install-proxmox-agent-macos.sh

GitHub and npm are used to obtain open-source code and packages, but the bridge and credentials run locally; there is no hosted management relay between your agent and PVE. Fully offline environments can mirror the repository and npm dependencies.

Agent-assisted configuration

Give the following prompt to a local agent that can safely run terminal commands. Enter the secret manually when the installer asks for it; never paste it into the prompt.

Configure a read-only Proxmox VE MCP integration.
- Detect Windows 11, Ubuntu 26.04, or macOS 26.
- Download and run the matching installer from this article.
- Let me enter the token secret interactively; never echo or log it.
- Keep PROXMOX_ALLOW_ELEVATED=false.
- Preserve all existing MCP servers.
- Validate tools/list and a read-only node query only.
- Do not start, stop, snapshot, migrate, delete, or modify anything.
- Stop on 401, 403, or TLS errors and explain the failing layer instead of widening permissions.

Validation checklist

Ask the agent to list available Proxmox tools, query node status with names redacted, count running and stopped QEMU/LXC guests, and summarize storage or failed tasks. Then perform a negative test by asking it to delete a guest. With the default setup, the request must be refused because elevated tools are disabled.

If deletion is possible, revoke the token immediately and inspect the ACL and environment variables.

Troubleshooting

Four-layer troubleshooting flow

Timeout or connection refused

Verify routing, firewall rules, the management port, and the configured host. A network failure occurs before authentication, so recreating a token will not fix it.

401 Unauthorized

Check the realm in PROXMOX_USER, the token name, the complete secret, and whether the token was deleted or regenerated.

403 Forbidden

The identity is recognized, but its ACL does not permit the requested path. With privilege separation enabled, make sure the token itself has an ACL:

pveum user token permissions 'ai-agent@pve' 'mcp'

No Proxmox tools in the agent

Validate JSON syntax, client configuration location, and absolute paths to node and index.js. Run tools/list directly in a terminal to separate client configuration problems from MCP startup problems.

TLS errors

The long-term fix is a trusted certificate with PROXMOX_VERIFY_TLS=true. Disabling verification should only be a temporary choice on a trusted internal network.

When to enable elevated tools

Only consider PROXMOX_ALLOW_ELEVATED=true after you have tested inside a disposable pool, assigned a non-administrator token, configured node or VMID allowlists, required confirmation, prepared backups, and enabled auditing. Deletion, rollback, shrinking storage, and other irreversible operations should remain manual.

Official Proxmox VE dynamic load balancer screenshot

Official screenshot with environment names blurred. An agent can explain balance and migration options, but production migration still requires storage, HA, network, and maintenance-window checks.

Good first use cases

Let the agent organize the ledger before allowing it to sign checks.

Q&A

Is MCP mandatory?

No. You can build REST scripts or use restricted SSH with pvesh. MCP is useful because tools and schemas are discoverable and reusable across compatible agents.

Can I use a root token?

You technically can, but you should not. A dedicated user, dedicated token, minimum ACL, and easy revocation substantially reduce impact when credentials leak or an agent chooses the wrong action.

Does the model see the secret?

The MCP client normally passes environment variables directly to the local server rather than inserting them into the conversation. The configuration file is still sensitive: restrict permissions, avoid cloud sync, never commit it, and rotate the token.

Can the agent automatically repair failures?

Eventually, but start with detection and a proposed plan. Unattended remediation needs explicit triggers, idempotency, timeouts, rollback, scope restrictions, and audit records.

Final advice

Connecting Proxmox VE to an AI agent is not merely adding a chat box to a datacenter. It is adding a natural-language orchestration layer above a mature API. A trustworthy design is read-only by default, minimally privileged, scope-limited, secret-aware, confirmable, verifiable, auditable, and quickly revocable.

Let the agent become an inspector before it becomes an operator.

References