In August 2025, Proxmox VE 9.0 was officially released. As with every major update, many changes were made, including bug fixes and the addition of new features.
The Proxmox VE development teams strive to provide as detailed a changelog as possible. In addition to this changelog, the wiki that hosts it offers various articles and procedures to help you upgrade Proxmox.
The steps to follow before and after upgrading a system are often little discussed. In this article, I offer a few tips that have proven themselves across various infrastructures. Several topics will be covered:
- Backing up data
- Reading the changelogs
- Updating the N-1 version (PVE 8)
- Upgrading to the N version (PVE 9)
- Functional testing
Upgrade from 8 to 9 - Proxmox VEProxmox VEIt is strongly recommended to perform an upgrade test on separate machines. If you have the time and resources, you can also install a beta version. This will not only let you preview the changes ahead of time, but also provide constructive feedback to the development teams to help them fix any potential issues.
Also, perform the following operations with the root account rather than an account that has sudo rights. The root user has real authority over the entire system, which is necessary for this kind of operation.
Backing up data#
Before upgrading your machines, it’s essential to start by backing up your data. Even if your virtual machine backup system is well established, make sure to verify the integrity of your backups by performing a restore test.
Remember to document the processes and keep a log of the restore tests carried out, noting both the successes and the failures, along with a detailed description (especially for failures, which will give you technical value if the problem comes back or if you need to share your experience).
When your Proxmox cluster uses Ceph, backing up your data becomes even more critical. Since Ceph is the storage system for your machines, any problem could compromise the infrastructure and lead to major complications (systems freezing, data loss, service interruption…).
Prepare a rollback plan in case the upgrade doesn’t go as planned (for example, preparing machines running PVE 8 so you can perform quick restores).
Also, on a Proxmox server, it’s worth backing up the “/etc/pve/storage.cfg” (storage definitions) and “/etc/network/interfaces” (network definitions) files. At best, you can back up the entire “/etc/pve” folder, which contains the public/private keys, the corosync configuration for the cluster, local user accounts, the SDN configuration, etc., with the command tar -czvf "/etc/pve/pve_backup_$(date +'%Y%m%d').tar.gz" /etc/pve.
Reading the changes#
Keeping up with technology is, in today’s IT, indispensable. When new major updates are rolled out, particular attention is required, especially for the tools you use. Lately, ZFS and Ceph have been getting many changes.
Take the time to find and read feedback on the Internet from people who have performed the upgrade, not only on Proxmox but also on other hypervisors.
Updating the N-1 version (PVE 8)#
Make sure to apply all the latest Proxmox 8 updates before moving to Proxmox 9. This step is crucial, because it brings your machines up to date and ensures you have the prerequisites needed for a smooth transition to the higher version.
Don’t forget to update your machines’ kernel and reboot each server. This step is essential to ensure an upgrade under the best possible conditions.
Upgrading to the N version (PVE 9)#
To upgrade PVE from version 8 to version 9, a tool is available to help you assess and determine your readiness level for the upgrade. That tool is pve8to9.
To move to Proxmox version 9, you need to be on 8.4.1 at minimum. As of 2025-09-10, PVE 8 is at 8.4.9. If you have Ceph, you must apply the updates to be on version 19.2 (Squid).
Make sure you have at least 10 Gb of free space on each of your Proxmox servers (for downloading and decompressing the new packages).
Once all the prerequisites are met, run the pve8to9 command.
For example, here is the output of the command on my machine:
= CHECKING VERSION INFORMATION FOR PVE PACKAGES =
Checking for package updates..
PASS: all packages up-to-date
Checking proxmox-ve package version..
PASS: proxmox-ve package has version >= 8.4-0
Checking running kernel version..
PASS: running kernel '6.14.8-2-bpo12-pve' is considered suitable for upgrade.
= CHECKING CLUSTER HEALTH/SETTINGS =
PASS: systemd unit 'pve-cluster.service' is in state 'active'
PASS: systemd unit 'corosync.service' is in state 'active'
PASS: Cluster Filesystem is quorate.
Analzying quorum settings and state..
INFO: configured votes - nodes: 1
INFO: configured votes - qdevice: 0
INFO: current expected votes: 1
INFO: current total votes: 1
WARN: cluster consists of less than three quorum-providing nodes!
Checking nodelist entries..
PASS: nodelist settings OK
Checking totem settings..
PASS: totem settings OK
INFO: run 'pvecm status' to get detailed cluster status..
= CHECKING HYPER-CONVERGED CEPH STATUS =
SKIP: no hyper-converged ceph setup detected!
= CHECKING CONFIGURED STORAGES =
PASS: storage 'durango_infra' enabled and active.
PASS: storage 'durango_k8s' enabled and active.
PASS: storage 'durango_temp' enabled and active.
PASS: storage 'local' enabled and active.
PASS: storage 'local-lvm' enabled and active.
PASS: storage 'local-nvme' enabled and active.
INFO: Checking storage content type configuration..
PASS: no storage content problems found
PASS: no storage re-uses a directory for multiple content types.
INFO: Check for usage of native GlusterFS storage plugin...
PASS: No GlusterFS storage found.
INFO: Checking whether all external RBD storages have the 'keyring' option configured
SKIP: No RBD storage configured.
= VIRTUAL GUEST CHECKS =
INFO: Checking for running guests..
WARN: 7 running guest(s) detected - consider migrating or stopping them.
INFO: Checking if LXCFS is running with FUSE3 library, if already upgraded..
SKIP: not yet upgraded, no need to check the FUSE library version LXCFS uses
INFO: Checking for VirtIO devices that would change their MTU...
PASS: All guest config descriptions fit in the new limit of 8 KiB
INFO: Checking container configs for deprecated lxc.cgroup entries
PASS: No legacy 'lxc.cgroup' keys found.
INFO: Checking VM configurations for outdated machine versions
PASS: All VM machine versions are recent enough
= MISCELLANEOUS CHECKS =
INFO: Checking common daemon services..
PASS: systemd unit 'pveproxy.service' is in state 'active'
PASS: systemd unit 'pvedaemon.service' is in state 'active'
PASS: systemd unit 'pvescheduler.service' is in state 'active'
PASS: systemd unit 'pvestatd.service' is in state 'active'
INFO: Checking for supported & active NTP service..
WARN: systemd-timesyncd is not the best choice for time-keeping on servers, due to only applying updates on boot.
While not necessary for the upgrade it's recommended to use one of:
* chrony (Default in new Proxmox VE installations)
* ntpsec
* openntpd
INFO: Checking if the local node's hostname 'miniquarium' is resolvable..
INFO: Checking if resolved IP is configured on local node..
PASS: Resolved node IP '192.168.1.1' configured and active on single interface.
INFO: Check node certificate's RSA key size
PASS: Certificate 'pve-root-ca.pem' passed Debian Busters (and newer) security level for TLS connections (4096 >= 2048)
PASS: Certificate 'pve-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (2048 >= 2048)
PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 2048)
INFO: Checking backup retention settings..
PASS: no backup retention problems found.
INFO: checking CIFS credential location..
PASS: no CIFS credentials at outdated location found.
INFO: Checking permission system changes..
INFO: Checking custom role IDs
NOTICE: Proxmox VE 9 replaced the ambiguously named 'VM.Monitor' privilege with 'Sys.Audit' for QEMU HMP monitor access and new dedicated 'VM.GuestAgent.*' privileges for access to a VM's guest agent.
The guest agent sub-privileges are 'Audit' for all informational commands, 'FileRead' and 'FileWrite' for file-read and file-write, 'FileSystemMgmt' for filesystem freeze, thaw and trim, and 'Unrestricted' for everything, including command execution. Operations that affect the VM runstate require 'VM.PowerMgmt' or 'VM.GuestAgent.Unrestricted'
FAIL: 1 custom role(s) use the to-be-dropped 'VM.Monitor' privilege and need to be adapted after the upgrade
INFO: Checking node and guest description/note length..
PASS: All node config descriptions fit in the new limit of 64 KiB
INFO: Checking if the suite for the Debian security repository is correct..
PASS: found no suite mismatch
INFO: Checking for existence of NVIDIA vGPU Manager..
PASS: No NVIDIA vGPU Service found.
INFO: Checking bootloader configuration...
WARN: systemd-boot meta-package installed but the system does not seem to use it for booting. This can cause problems on upgrades of other boot-related packages. Consider removing 'systemd-boot'
PASS: bootloader packages installed correctly
INFO: Check for dkms modules...
SKIP: could not get dkms status
INFO: Check for legacy 'filter' or 'group' sections in /etc/pve/notifications.cfg...
PASS: No legacy 'filter' or 'group' sections found!
INFO: Check for legacy 'notification-policy' or 'notification-target' options in /etc/pve/jobs.cfg...
PASS: No legacy 'notification-policy' or 'notification-target' options found!
INFO: Check for LVM autoactivation settings on LVM and LVM-thin storages...
NOTICE: storage 'local-lvm' has guest volumes with autoactivation enabled
NOTICE: storage 'local-nvme' has guest volumes with autoactivation enabled
NOTICE: Starting with PVE 9, autoactivation will be disabled for new LVM/LVM-thin guest volumes. This system has some volumes that still have autoactivation enabled. All volumes with autoactivations reside on local storage, where this normally does not cause any issues.
You can run the following command to disable autoactivation for existing LVM/LVM-thin guest volumes:
/usr/share/pve-manager/migrations/pve-lvm-disable-autoactivation
INFO: Check space requirements for RRD migration...
PASS: Enough free disk space for increased RRD metric granularity requirements, which is roughly 83.47 MiB.
INFO: Checking for IPAM DB files that have not yet been migrated.
PASS: No legacy IPAM DB found.
PASS: No legacy MAC DB found.
INFO: Checking if the legacy sysctl file '/etc/sysctl.conf' needs to be migrated to new '/etc/sysctl.d/' path.
PASS: Legacy file '/etc/sysctl.conf' exists but does not contain any settings.
INFO: Checking if matching CPU microcode package is installed.
WARN: The matching CPU microcode package 'amd64-microcode' could not be found! Consider installing it to receive the latest security and bug fixes for your CPU.
apt install amd64-microcode
SKIP: NOTE: Expensive checks, like CT cgroupv2 compat, not performed without '--full' parameter
= SUMMARY =
TOTAL: 55
PASSED: 40
SKIPPED: 5
WARNINGS: 5
FAILURES: 1
ATTENTION: Please check the output for detailed information!
Try to solve the problems one at a time and then run this checklist tool again.The “FAIL” tests prevent you from upgrading. Tests with a “WARN” or “NOTICE” result should be taken into account, but they won’t stop you from upgrading the servers.
In my case, a notice and especially a FAIL appear:
NOTICE: Proxmox VE 9 replaced the ambiguously named 'VM.Monitor' privilege with 'Sys.Audit' for QEMU HMP monitor access and new dedicated 'VM.GuestAgent.*' privileges for access to a VM's guest agent.
The guest agent sub-privileges are 'Audit' for all informational commands, 'FileRead' and 'FileWrite' for file-read and file-write, 'FileSystemMgmt' for filesystem freeze, thaw and trim, and 'Unrestricted' for everything, including command execution. Operations that affect the VM runstate require 'VM.PowerMgmt' or 'VM.GuestAgent.Unrestricted'
FAIL: 1 custom role(s) use the to-be-dropped 'VM.Monitor' privilege and need to be adapted after the upgradeI use OpenTofu to generate my virtual machines in Proxmox, and previously, in the custom role, I had added “VM.Monitor”. That role no longer exists now, so you need to remove it in “Datacenter” > “Roles” > select that role, then edit it by removing “VM.Monitor”.
A few articles available on my site:
In the meantime, since I have an AMD processor, a “warn” is displayed:
WARN: The matching CPU microcode package 'amd64-microcode' could not be found! Consider installing it to receive the latest security and bug fixes for your CPU.
apt install amd64-microcodeTo fix this problem, add non-free-firmware at the end of the “ftp.debian.org” repositories, update the repository list with apt update, and install the amd64-microcode package (for AMD). The official instructions are in the Proxmox admin guide for firmware repositories
and Proxmox admin guide for CPU firmware
.
The other warns correspond to machines that are still running (no big deal), the use of systemd-timesyncd (Proxmox recommends using chrony or openntpd rather than systemd-timesyncd, the latter only applying its configuration at boot), which I ignore (depending on my environment), and the systemd-boot package which is not used and can be removed.
Once everything looks good to you, it’s time to upgrade your Proxmox! A sed command will be run to change the distribution’s reference name to switch to Trixie in place of bookworm. A quick sed -i 's/bookworm/trixie/g' /etc/apt/sources.list and you can now run apt update.
root@miniquarium:~# apt update
Get:1 http://ftp.fr.debian.org/debian trixie InRelease [138 kB]
Get:2 http://download.proxmox.com/debian/pve trixie InRelease [2,771 B]
Get:3 http://security.debian.org trixie-security InRelease [43.4 kB]
Get:4 http://ftp.fr.debian.org/debian trixie-updates InRelease [47.1 kB]
Get:5 http://download.proxmox.com/debian/pve trixie/pve-no-subscription amd64 Packages [161 kB]
Get:6 http://security.debian.org trixie-security/main amd64 Packages [5,304 B]
Get:7 http://security.debian.org trixie-security/main Translation-en [6,724 B]
Get:8 http://ftp.fr.debian.org/debian trixie/main amd64 Packages [9,668 kB]
Get:9 http://ftp.fr.debian.org/debian trixie/main Translation-en [6,484 kB]
Get:10 http://ftp.fr.debian.org/debian trixie/contrib amd64 Packages [53.8 kB]
Get:11 http://ftp.fr.debian.org/debian trixie/contrib Translation-en [49.6 kB]
Get:12 http://ftp.fr.debian.org/debian trixie/non-free-firmware amd64 Packages [6,868 B]
Get:13 http://ftp.fr.debian.org/debian trixie/non-free-firmware Translation-en [4,704 B]
Get:14 http://ftp.fr.debian.org/debian trixie-updates/main amd64 Packages [2,432 B]
Get:15 http://ftp.fr.debian.org/debian trixie-updates/main Translation-en [396 B]
Fetched 16.7 MB in 2s (10.8 MB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
587 packages can be upgraded. Run 'apt list --upgradable' to see them.More than 580 packages to update — let’s go with the apt dist-upgrade command. In my case, about 580 MB will be downloaded and roughly 1.2 GB more storage than currently will be used. The apt-listchanges tool will open to list the changes across many packages, always interesting to read (also readable online).
The /etc/issue file will be modified to reflect the new Debian 13 values. While cosmetic, it’s still nice to have.
Installing new version of config file /etc/debian_version ...
Configuration file '/etc/issue'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** issue (Y/I/N/O/D/Z) [default=N] ? yDuring the upgrade of the libc6 package, a question will be asked about automatically restarting services; I advise you to answer “No”. Indeed, there’s no point restarting services on the fly during the Proxmox upgrade, since we’ll have to reboot the server anyway.
Setting up dbus (1.16.2-2) ...
A reboot is required to replace the running dbus-daemon.
Please reboot the system when convenient.Installed on a consumer-grade SSD, the PVE 8 to PVE 9 upgrade took about 20 minutes to complete, including the reboot.
Functional testing#
Once you’ve rebooted your machine, try to access your Proxmox server. That’s the first test: did the server reboot and is it operational?
Here, yes — PVE 9.0.3 is online!
What now?#
Over SSH, run the apt autoremove command to remove the leftovers (notably obsolete kernels).
With Debian 13, APT moves to version 3 and has a new format for the sources.list files (Thanks L.G. for the info!). Debian has a page explaining the changes:
SourcesList - Debian WikiDebian WikiI ran the apt modernize-sources command on my Proxmox node, and the files were updated:
root@miniquarium:~# apt modernize-sources
The following files need modernizing:
- /etc/apt/sources.list
- /etc/apt/sources.list.d/ceph.list
- /etc/apt/sources.list.d/pve-enterprise.list
Modernizing will replace .list files with the new .sources format,
add Signed-By values where they can be determined automatically,
and save the old files into .list.bak files.
This command supports the 'signed-by' and 'trusted' options. If you
have specified other options inside [] brackets, please transfer them
manually to the output files; see sources.list(5) for a mapping.
For a simulation, respond N in the following prompt.
Rewrite 3 sources? [Y/n]
Modernizing /etc/apt/sources.list...
- Writing /etc/apt/sources.list.d/debian.sources
- Writing /etc/apt/sources.list.d/proxmox.sources
Modernizing /etc/apt/sources.list.d/ceph.list...
Modernizing /etc/apt/sources.list.d/pve-enterprise.list...Now, the repositories look like this:
root@miniquarium:~# cat /etc/apt/sources.list.d/proxmox.sources
# Modernized from /etc/apt/sources.list
Types: deb
URIs: http://download.proxmox.com/debian/pve/
Suites: trixie
Components: pve-no-subscription
Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpgDon’t forget to disable the “pve-enterprise” repository that will be added afterward, if you don’t have a Proxmox Enterprise license.
Use your machines, create VMs, make the most of your infrastructure! Update Proxmox Backup Server, document, optimize your monitoring…

