Labsco
RekklesNA logo

ProxmoxMCP-Plus

β˜… 281

from RekklesNA

Proxmox VE MCP server for VMs, LXCs, snapshots, backups, storage, and cluster operations.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredAdvanced setup

ProxmoxMCP-Plus

<!-- mcp-name: io.github.RekklesNA/proxmox-mcp-plus --> <div align="center"> <img src="docs/assets/logo-proxmoxmcp-plus.png" alt="ProxmoxMCP-Plus Logo" width="160"/> </div> <p align="center"><strong>Operate Proxmox VE from MCP clients, AI agents, and OpenAPI tooling through one security-conscious control plane for VMs, LXCs, snapshots, backups, ISOs, container commands, and persistent long-running jobs.</strong></p> <p align="center"> <a href="https://pypi.org/project/proxmox-mcp-plus/"><img alt="PyPI" src="https://img.shields.io/pypi/v/proxmox-mcp-plus"></a> <a href="https://github.com/RekklesNA/ProxmoxMCP-Plus/releases"><img alt="GitHub Release" src="https://img.shields.io/github/v/release/RekklesNA/ProxmoxMCP-Plus"></a> <a href="https://github.com/RekklesNA/ProxmoxMCP-Plus/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/RekklesNA/ProxmoxMCP-Plus/ci.yml?branch=main"></a> <a href="https://github.com/RekklesNA/ProxmoxMCP-Plus/pkgs/container/ProxmoxMCP-Plus"><img alt="GHCR" src="https://img.shields.io/badge/GHCR-container-blue"></a> <a href="LICENSE"><img alt="License" src="https://img.shields.io/github/license/RekklesNA/ProxmoxMCP-Plus"></a> </p> <p align="center"> <a href="#quick-start">Quick Start</a> | <a href="#client-install">Client Install</a> | <a href="#demo">Demo</a> | <a href="#choose-the-right-tool">Tools</a> | <a href="#safety-model">Safety</a> | <a href="#scenario-templates">Scenarios</a> | <a href="#documentation">Docs</a> | <a href="https://github.com/RekklesNA/ProxmoxMCP-Plus/wiki">Wiki</a> </p>

ProxmoxMCP-Plus architecture

Why ProxmoxMCP-Plus

ProxmoxMCP-Plus sits between AI clients and Proxmox VE so operators do not have to stitch together raw API calls, one-off shell scripts, and custom job polling for every workflow.

It exposes the same operational surface in two ways:

  • MCP for Claude Desktop, Cursor, VS Code, Open WebUI, Codex, and other MCP-capable agents
  • OpenAPI for HTTP automation, dashboards, internal tools, and no-code workflows

What you get:

  • VM and LXC lifecycle actions
  • snapshot create, rollback, and delete
  • backup and restore workflows
  • ISO download and cleanup
  • node, storage, and cluster inspection
  • SSH-backed container command execution with guardrails
  • persistent job tracking for async Proxmox tasks

What Makes It Different

PriorityHow the project handles it
Dual access pathsNative MCP for agent workflows and OpenAPI for standard HTTP automation
Proxmox-oriented workflowsDay-2 VM, LXC, snapshot, backup, ISO, storage, and cluster operations
Long-running operationsStable job_ids, Proxmox UPID tracking, polling, retry, cancel, and audit history
Safer executionProxmox API tokens, OpenAPI bearer auth, command policy, approval tokens, TLS validation, and MCP HTTP Host/Origin controls
Real validationUnit, integration, Docker/OpenAPI, and live Proxmox e2e entry points are documented in the repo

Demo

This demo is a direct terminal recording of qwen/qwen3.6-plus driving a live MCP session in English against a local Proxmox lab. It shows natural-language control flowing through MCP tools to create and start an LXC, execute a container command, and confirm the authenticated HTTP /health surface.

Recorded demo gif

Watch the MP4 version

Choose The Right Tool

Start with read-only discovery, then move to mutating tools only after the target node, storage, VMID, and permissions are clear.

Operator goalStart withThen useNotes
Inspect the clusterget_nodes, get_cluster_statusget_storage, get_vms, get_containersBest first health check after client install
Create or manage a VMget_nodes, get_storagecreate_vm, start_vm, stop_vm, delete_vmLong-running mutations return job_id and Proxmox task_id
Manage LXCsget_containers, get_storagecreate_container, start_container, stop_container, delete_containerSSH-backed command tools require the optional ssh config
Roll back risky changeslist_snapshots with vm_type=qemu or vm_type=lxccreate_snapshot, rollback_snapshot, delete_snapshotCreate a snapshot before destructive workflow tests
Run commands inside guestsVM or container status toolsexecute_vm_command, execute_container_commandVM path needs QEMU Guest Agent; LXC path needs SSH to the Proxmox node
Track async workmutation response with job_idpoll_job, get_job, list_jobs, retry_job, cancel_jobUse job_id for agent/user conversations and task_id for raw Proxmox traceability
Automate from HTTP tools/openapi.json/jobs, /health, generated tool routesUse bearer auth and keep CORS restricted outside local development

For the full tool map, see the Tool Selection Guide and API & Tool Reference.

Safety Model

ProxmoxMCP-Plus is an access layer, not a replacement for Proxmox RBAC, network controls, or client-side MCP approval prompts.

The project gives operators several control points:

  • Proxmox API tokens decide what the backend can do.
  • PROXMOX_API_KEY protects the OpenAPI bridge by default.
  • TLS verification is enforced unless development mode is explicitly enabled.
  • command_policy controls command execution and high-risk operations.
  • approval_token can gate command execution and high-risk mutating actions.
  • MCP Streamable HTTP deployments can use DNS rebinding protection plus Host and Origin allowlists.
  • Logs are designed to avoid exposing command and credential material.

Read the Security Guide before exposing the server outside a trusted local environment.

Core Platform Capabilities

ProxmoxMCP-Plus provides a unified control surface for the operational tasks most teams actually need in Proxmox VE. The same server can expose these workflows to MCP clients for LLM and AI-agent use cases, and to HTTP consumers through the OpenAPI bridge.

Supported workflow areas:

Capability AreaAvailability
VM create / start / stop / deleteAvailable
VM snapshot create / rollback / deleteAvailable
Backup create / restoreAvailable
ISO download / deleteAvailable
LXC create / start / stop / deleteAvailable
Container SSH-backed command executionAvailable
Container authorized_keys updateAvailable
Persistent job store for long tasksAvailable
MCP job control tools (list_jobs, get_job, poll_job, cancel_job, retry_job)Available
OpenAPI /jobs endpoints with explicit status codesAvailable
Local OpenAPI /livez, /readyz, /health, and schemaAvailable
Docker native MCP Streamable HTTP at /mcpAvailable
Docker image build and /livezAvailable

Validation and contract entry points in this repository:

  • pytest -q --cov=proxmox_mcp --cov-report=term-missing --cov-fail-under=75
  • ruff check .
  • mypy src --ignore-missing-imports
  • pip-audit -r requirements.txt
  • tests/integration/test_real_contract.py
  • tests/scripts/run_real_e2e.py

tests/scripts/run_real_e2e.py now prefers proxmox-config/config.live.json or PROXMOX_MCP_E2E_CONFIG. This avoids accidentally running live checks against a machine-specific default config.json.

Positioning Against Common Approaches

CapabilityOfficial Proxmox APIOne-off scriptsProxmoxMCP-Plus
MCP for LLM and AI agent workflowsNoNoYes
OpenAPI surface for standard HTTP toolingNoUsually noYes
VM and LXC operations in one interfaceLow-level onlyDependsYes
Snapshot, backup, and restore workflowsLow-level onlyDependsYes
Persistent async job tracking and retryNoRareYes
Container command execution with policy controlsNoCustom onlyYes
Docker distribution pathNoRareYes
Repository-level live-environment verificationN/ARareYes

Scenario Templates

Ready-to-copy examples live in docs/examples/:

These are written for both human operators and LLM-driven usage.

Documentation

The README is intentionally optimized for fast GitHub comprehension. Longer operational docs live in docs/wiki/ and can also be published to the GitHub Wiki.

If you need to...Start here
Understand the project and deployment flowWiki Home
Configure and run against a Proxmox environmentOperator Guide
Connect Claude Desktop, Cursor, VS Code, Codex, Open WebUI, or HTTP clientsClient Setup Guide
Choose the right tool for a workflowTool Selection Guide
Review docs quality goals, media plan, and publishing checklistDocumentation Quality Plan
Review integration patterns and transport detailsIntegrations Guide
Install from MCP-aware IDEs and agentsAgent Installation
Enable LXC command execution over SSHContainer Command Execution
Review security and command policySecurity Guide
Inspect tool parameters, prerequisites, and behaviorAPI & Tool Reference
Debug startup, auth, or health issuesTroubleshooting
Work on the codebase or release itDeveloper Guide
Review release and upgrade notesRelease & Upgrade Notes

Published wiki:

Repo Layout

  • src/proxmox_mcp/: MCP server, config loading, security, OpenAPI bridge
  • main.py: MCP entrypoint for local and client-driven usage
  • docker-compose.yml: HTTP/OpenAPI runtime
  • requirements/: auxiliary dependency sources and runtime install lists
  • scripts/: helper startup scripts for local workflows
  • tests/scripts/run_real_e2e.py: live Proxmox and Docker/OpenAPI path
  • tests/: unit and integration coverage
  • docs/examples/: scenario-driven prompts and HTTP examples
  • docs/wiki/: longer-form operator, integration, and reference docs

Development Checks

Copy & paste β€” that's it
pytest -q --cov=proxmox_mcp --cov-report=term-missing --cov-fail-under=75
ruff check .
mypy src --ignore-missing-imports
pip-audit -r requirements.txt
python -m build

Paramiko 5.0.0 or newer is required so pip-audit can run without a CVE-2026-44405 exception.

License

MIT