pve-mcp
Provides tools for managing Proxmox VE virtual machines and containers, including resource query, VM/CT lifecycle, snapshots, backups, clones, and configuration management.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@pve-mcpshow cluster status"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
pve-mcp
An MCP server for managing Proxmox VE (single node or cluster): query resources, manage VM/CT lifecycle, snapshots, backups, clones — from Claude Code or any MCP host.
Works with both QEMU VMs and LXC containers, on single nodes and clusters.
Tools that target one guest only need the
vmid— the node and guest type are resolved automatically.Safety first: an optional read-only mode,
confirm=truerequired for destructive operations, and guest command execution disabled by default.
Requirements
Python >= 3.11 (a pinned 3.12 is used via
uv)A Proxmox VE 7/8 host with an API token (see below)
Related MCP server: mcp-server-proxmox
Installation
git clone <this-repo> pve-mcp
cd pve-mcp
uv sync # installs runtime + dev dependencies into .venv
uv run pytest # optional: run the test suiteOr run it directly with uvx (no install):
uvx --from /path/to/pve-mcp pve-mcpThe console entry point is pve-mcp (stdio transport).
Creating a PVE API token
Authentication uses API tokens only (Authorization: PVEAPIToken=<id>=<secret>),
never username/password tickets. Create a dedicated user and token on the PVE
host (as root):
# 1. Dedicated user
pveum user add mcp@pve --comment "MCP server"
# 2a. Read-only usage: PVEAuditor on the whole tree
pveum acl modify / --users mcp@pve --roles PVEAuditor
# 2b. Management usage: PVEVMAdmin (VM/CT lifecycle, snapshots, backups)
pveum acl modify / --users mcp@pve --roles PVEVMAdmin
# For backup/restore you may also need PVEDatastoreUser on the backup storage:
pveum acl modify /storage/<backup-storage> --users mcp@pve --roles PVEDatastoreUser
# 3. Token
pveum user token add mcp@pve mcp --privsep 1Note the privsep setting: with --privsep 1 (recommended) the token has
its own ACLs — grant the roles above to the token too
(pveum acl modify / --tokens 'mcp@pve!mcp' --roles PVEVMAdmin), or the token
ends up with no permissions. With --privsep 0 the token inherits all
permissions of the user.
The command prints the token secret once — store it safely.
Configuration (environment variables)
Variable | Required | Default | Description |
| yes | — | PVE API URL, e.g. |
| yes | — | Token ID: |
| yes | — | Token secret (UUID) |
| no |
| Set |
| no |
| HTTP timeout in seconds |
| no |
|
|
| no |
|
|
| no |
| Seconds to wait for PVE tasks; on timeout the UPID is returned |
A .env file in the working directory is loaded automatically; see
.env.example.
Registering with Claude Code
claude mcp add pve -e PVE_HOST=https://192.168.1.10:8006 \
-e PVE_TOKEN_ID='root@pam!mcp' -e PVE_TOKEN_SECRET=xxx \
-e PVE_VERIFY_SSL=false -- uvx --from /path/to/pve-mcp pve-mcpAdd -e PVE_MCP_READ_ONLY=true for a safe, audit-only setup.
Tools
Read-only (12, always registered)
Tool | Purpose |
| Cluster/node health, quorum (works on single nodes too) |
| Nodes with CPU/memory/disk usage and online status |
| One node in detail (load, kernel, PVE version) |
| All VMs + CTs; filter by node / type / status |
| Live status of one guest (CPU/mem, agent, uptime) |
| Full config of one guest (cores, memory, disks, NICs) |
| Storage usage (cluster-wide or per node) |
| Contents of a storage (iso/backup/vztmpl/images) |
| Backups across storages; filter by vmid / storage |
| Snapshot tree of one guest |
| Recent tasks (all nodes or one), errors-only option |
| One task's status; failed tasks include a log tail |
Write (11, skipped when PVE_MCP_READ_ONLY=true)
Tool | Purpose | Destructive |
| start / shutdown / stop / reboot / suspend / resume | no ( |
| Move a guest to another node (QEMU live / CT restart) | no |
| Change config keys (cores, memory, onboot, ...) | no (most changes need a guest restart) |
| Grow a disk ( | no |
| Clone to a new vmid (full or linked) | no |
| Snapshot a guest ( | no |
| vzdump backup (snapshot/suspend/stop mode) | no |
| Roll back to a snapshot | yes — requires |
| Delete a snapshot | yes — requires |
| Delete a guest and all its disks | yes — requires |
| Restore an archive to a vmid | new vmid: no; overwrite: yes — requires |
Exec (1, requires PVE_MCP_ENABLE_EXEC=true)
Tool | Purpose |
| Run a shell command in a QEMU VM via the guest agent ( |
Security model
Read-only mode — with
PVE_MCP_READ_ONLY=truethe write tools are not registered at all (they don't exist for the model), leaving exactly the 12 read-only tools.Tool annotations — read-only tools carry
readOnlyHint, the four destructive tools carrydestructiveHint, so MCP hosts (e.g. Claude Code) can prompt appropriately.confirmparameter — destructive tools refuse to run withoutconfirm=trueand explain the consequences first. Nothing is sent to PVE until confirmed.Exec opt-in —
pve_vm_exec(arbitrary command execution in guests) is only registered withPVE_MCP_ENABLE_EXEC=true, and never in read-only mode.
Combine with a least-privilege token: PVEAuditor for read-only setups,
PVEVMAdmin for management.
Behavior notes
Async tasks: write operations wait up to
PVE_MCP_TASK_WAITseconds for the PVE task to finish. Long operations (backups, clones, migrations) return{"status": "running", "upid": ...}— follow up withpve_task_status.Output: responses are JSON with a per-tool field whitelist; byte values keep the raw number and gain a
*_humancompanion (e.g."31.25 GiB").Errors: HTTP/auth/SSL errors are translated into actionable messages (e.g. 403 suggests the missing role; unknown vmids list the existing ones).
Development
uv sync
uv run pytest # unit tests (PVE API mocked with respx)See DESIGN.md for the full specification.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/tiancode/pve-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server