List all users in Proxmox.

Args: enabled: Only show enabled users. full: Include detailed info (groups, tokens, etc.).

Get details for a specific user.

Args: userid: User ID (format: 'user@realm', e.g. 'admin@pam').

Create a new user.

Args: userid: User ID (format: 'user@realm', e.g. 'myuser@pve'). password: Password (only for pve/pam realms). email: Email address. firstname: First name. lastname: Last name. groups: Comma-separated group list. comment: Description. enable: Enable user. expire: Account expiration (Unix epoch, 0 = never).

Update an existing user.

Args: userid: User ID (format: 'user@realm'). email: Email address. firstname: First name. lastname: Last name. groups: Comma-separated group list. comment: Description. enable: Enable/disable user. expire: Account expiration (Unix epoch, 0 = never, -1 = don't change). append: Append groups instead of replacing.

Delete a user.

Args: userid: User ID to delete (format: 'user@realm').

List API tokens for a user.

Args: userid: User ID (format: 'user@realm').

Get details for a specific API token.

Args: userid: User ID (format: 'user@realm'). tokenid: Token ID.

Create a new API token for a user. Returns the token value (shown only once).

Args: userid: User ID (format: 'user@realm'). tokenid: Token ID (alphanumeric). comment: Token description. privsep: Enable privilege separation (token has own permissions, not user's full permissions). expire: Expiration (Unix epoch, 0 = never).

Delete an API token.

Args: userid: User ID (format: 'user@realm'). tokenid: Token ID.

List all user groups.

Get group details.

Args: groupid: Group ID.

Create a new group.

Args: groupid: Group ID. comment: Description.

Update a group.

Args: groupid: Group ID. comment: Description.

Delete a group.

Args: groupid: Group ID.

List all available roles.

Get role details and its privileges.

Args: roleid: Role ID.

Create a new role with specific privileges.

Args: roleid: Role ID. privs: Comma-separated list of privileges (e.g. 'VM.Allocate,VM.Config.Disk,VM.PowerMgmt').

Update role privileges.

Args: roleid: Role ID. privs: Comma-separated list of privileges. append: Append privileges instead of replacing.

Delete a role.

Args: roleid: Role ID.

Get the full ACL (access control list) — shows all permission assignments.

Add or remove ACL entries (permission assignments).

Args: path: Object path (e.g. '/', '/vms/100', '/storage/local', '/pool/mypool'). roles: Comma-separated role list. users: Comma-separated user list (format: 'user@realm'). groups: Comma-separated group list. tokens: Comma-separated token list (format: 'user@realm!tokenid'). propagate: Propagate permissions to child objects. delete: Remove the ACL entry instead of adding.

List configured authentication realms/domains (PAM, PVE, LDAP, AD, OpenID).

Get authentication domain configuration.

Args: realm: Realm ID (e.g. 'pam', 'pve', 'my-ldap').

Sync users/groups from an external auth domain (LDAP/AD).

Args: realm: Realm ID to sync. dry_run: Only show what would change. full: Full sync (not just incremental). enable_new: Enable newly synced users. remove_vanished: Comma-separated: 'entry' (remove users), 'properties' (clear), 'acl' (remove ACLs).

List TFA (two-factor auth) entries.

Args: userid: Filter by user ID (empty = all users).

Check effective permissions for a user on a given path.

Args: userid: User to check (empty = current user). path: Object path to check (empty = root).

Change a user's password.

Args: userid: User ID (format: 'user@realm'). password: New password.

List all scheduled backup jobs (vzdump) in the cluster.

Get details of a specific backup job.

Args: id: Backup job ID.

Get volumes included in a backup job.

Args: id: Backup job ID.

Create a scheduled backup job.

Args: storage: Target storage ID for backups. schedule: Schedule in systemd calendar format (e.g. 'daily', 'weekly', '02:00'). all_guests: Backup all guests. vmid: Comma-separated VMIDs to back up (if not all_guests). node: Only back up guests on this node. mode: Backup mode: 'snapshot', 'suspend', 'stop'. compress: Compression: 'none', 'lzo', 'gzip', 'zstd'. mailnotification: 'always' or 'failure'. mailto: Comma-separated email addresses. maxfiles: Max backup files to keep (0 = unlimited, deprecated - use prune_backups). prune_backups: Retention schedule (e.g. 'keep-daily=7,keep-weekly=4'). notes_template: Template for backup notes. enabled: Enable the job. comment: Description.

Update a scheduled backup job.

Args: id: Backup job ID. storage: Target storage ID. schedule: Schedule in systemd calendar format. all_guests: Backup all guests. vmid: Comma-separated VMIDs. node: Node filter. mode: Backup mode. compress: Compression. enabled: Enable/disable. delete: Comma-separated properties to delete.

Delete a scheduled backup job.

Args: id: Backup job ID.

Start an immediate backup (vzdump) on a node.

Args: node: The node to run the backup on. vmid: Comma-separated VMIDs (required if not all_guests). all_guests: Back up all guests on the node. storage: Target storage (empty = default). mode: Backup mode: 'snapshot', 'suspend', 'stop'. compress: Compression: 'none', 'lzo', 'gzip', 'zstd'. stdout: Write to stdout instead of storage.

Get the default vzdump configuration for a node.

Args: node: The node name.

Extract the guest configuration from a vzdump backup archive.

Args: node: The node name. volume: Backup volume ID (e.g. 'local:backup/vzdump-qemu-100-2024_01_01-00_00_00.vma.zst').

List files in a vzdump backup for single-file restore.

Args: node: The node name. storage: Storage ID. volume: Backup volume ID. filepath: Path within the backup (default '/').

Download a file from a vzdump backup.

Args: node: The node name. storage: Storage ID. volume: Backup volume ID. filepath: Path of the file to download from the backup.

Get the Proxmox VE API version information.

Get cluster status (nodes online, quorum, HA state).

List all resources across the cluster (VMs, containers, storage, nodes).

Args: type: Filter by type: 'vm', 'storage', 'node', 'sdn', 'pool' (empty = all).

List recent tasks across all nodes in the cluster.

Args: limit: Maximum number of tasks to return.

Get the cluster log (recent events).

Args: max_entries: Max log entries.

Get the next available VMID in the cluster.

Args: vmid: Specific VMID to check availability for (0 = auto-assign).

Get datacenter/cluster-wide options (keyboard layout, console, language, etc.).

Update datacenter/cluster-wide options.

Args: keyboard: Keyboard layout (e.g. 'en-us', 'de'). language: Default language. console: Default console viewer: 'applet', 'vv', 'html5', 'xtermjs'. http_proxy: HTTP proxy URL. email_from: Default email sender address. max_workers: Max parallel workers. description: Datacenter description. delete: Comma-separated settings to delete.

Get the current cluster configuration (corosync, nodes, join info).

List nodes configured in the cluster.

Get info needed to join a node to this cluster.

Join a node to an existing cluster.

Args: hostname: Hostname/IP of existing cluster node. fingerprint: SSL fingerprint of the cluster node. password: Root password of the cluster node. nodeid: Force specific node ID. force: Force join even with warnings.

Get the corosync totem configuration.

List all replication jobs in the cluster.

Get a specific replication job configuration.

Args: id: Replication job ID (format: GUEST-JOBNUM, e.g. '100-0').

Create a storage replication job.

Args: id: Job ID (format: GUEST-JOBNUM, e.g. '100-0'). target: Target node. type: Replication type (currently only 'local'). schedule: Schedule in systemd calendar format (default '*/15' = every 15 min). comment: Description. rate: Rate limit in mbps. disable: Create disabled.

Delete a replication job.

Args: id: Replication job ID. force: Force removal (skip cleanup). keep: Keep replicated data on target.

List configured metric servers (InfluxDB, Graphite).

Get metric server configuration.

Args: id: Metric server ID.

List all configured notification endpoints (sendmail, gotify, smtp, webhook).

List all notification targets.

List all notification matchers (rules that route notifications).

Send a test notification to a target.

Args: name: Target name.

Bulk start guests across the cluster.

Args: vms: Comma-separated list of VMIDs (empty = all).

Bulk shutdown guests across the cluster.

Args: vms: Comma-separated list of VMIDs (empty = all).

Bulk migrate guests to a target node.

Args: target: Target node name. vms: Comma-separated VMIDs.

Get Ceph cluster status (health, monitors, OSDs, PGs).

Get Ceph metadata (versions, services across nodes).

Get Ceph global flags (noout, noscrub, etc.).

Set a Ceph global flag.

Args: flag: Flag name (noout, noscrub, nobackfill, norebalance, nodown, noup, etc.). value: True to set, False to unset.

Get Ceph status from a specific node's perspective.

Args: node: The node name.

List Ceph OSDs on a node.

Args: node: The node name.

Create a new Ceph OSD on a device.

Args: node: The node name. dev: Block device for the OSD (e.g. '/dev/sdb'). db_dev: Separate block device for DB. wal_dev: Separate block device for WAL. encrypted: Encrypt the OSD.

List Ceph pools.

Args: node: The node name.

Create a new Ceph pool.

Args: node: The node name. name: Pool name. size: Number of replicas (default 3). min_size: Minimum replicas for I/O (default 2). pg_num: Number of placement groups (default 128). application: Pool application (rbd, cephfs, rgw).

List Ceph monitors.

Args: node: The node name.

List Ceph managers.

Args: node: The node name.

List Ceph metadata servers (MDS, for CephFS).

Args: node: The node name.

List CephFS filesystems.

Args: node: The node name.

Get the raw Ceph configuration.

Args: node: The node name.

Get Ceph CRUSH rules.

Args: node: The node name.

List all scheduled cluster jobs (realm-sync, etc.).

List realm synchronization jobs.

List PCI device mappings for passthrough.

List USB device mappings for passthrough.

List directory mappings.

Get cluster-wide firewall options (enable, policy_in, policy_out, etc.).

Set cluster-wide firewall options.

Args: enable: 1 to enable, 0 to disable, -1 to not change. policy_in: Default input policy: 'ACCEPT', 'REJECT', 'DROP'. policy_out: Default output policy: 'ACCEPT', 'REJECT', 'DROP'. log_ratelimit: Log rate limit (e.g. 'enable=1,rate=1/second,burst=5'). ebtables: 1 to enable ebtables rules, 0 to disable, -1 to not change. delete: Comma-separated options to delete.

List cluster-level firewall rules.

Get a specific cluster firewall rule.

Args: pos: Rule position number.

Create a cluster-level firewall rule.

Args: action: 'ACCEPT', 'DROP', 'REJECT'. type: 'in', 'out', 'group'. enable: 1 = enabled, 0 = disabled. source: Source address/range (CIDR or alias). dest: Destination address/range. proto: Protocol (tcp, udp, icmp, etc.). sport: Source port(s). dport: Destination port(s). iface: Network interface. macro: Use predefined macro (e.g. 'SSH', 'HTTP', 'HTTPS', 'Ping'). comment: Description. log: Log level: 'emerg', 'alert', 'crit', 'err', 'warning', 'notice', 'info', 'debug', 'nolog'. pos: Rule position (-1 = append).

Update a cluster-level firewall rule.

Args: pos: Rule position to update. action: 'ACCEPT', 'DROP', 'REJECT'. enable: 1 = enabled, 0 = disabled, -1 = don't change. source: Source address/range. dest: Destination address/range. proto: Protocol. sport: Source port(s). dport: Destination port(s). macro: Predefined macro. comment: Description. moveto: Move rule to this position. delete: Comma-separated properties to delete.

Delete a cluster-level firewall rule.

Args: pos: Rule position to delete.

List firewall security groups (reusable sets of rules).

List rules in a firewall security group.

Args: group: Security group name.

Create a new firewall security group.

Args: group: Group name. comment: Description.

Add a rule to a firewall security group.

Args: group: Security group name. action: 'ACCEPT', 'DROP', 'REJECT'. type: 'in', 'out'. enable: 1 = enabled, 0 = disabled. source: Source address/range. dest: Destination address/range. proto: Protocol. sport: Source port(s). dport: Destination port(s). macro: Predefined macro. comment: Description.

List cluster firewall aliases (named IP addresses/ranges).

Create a firewall alias (named IP address or CIDR).

Args: name: Alias name. cidr: IP address or CIDR (e.g. '10.0.0.0/24' or '192.168.1.1'). comment: Description.

Delete a firewall alias.

Args: name: Alias name.

List cluster firewall IP sets (named groups of IPs).

Create a new firewall IP set.

Args: name: IP set name. comment: Description.