I thought it might be helpful for people following my guide for installing macOS Mojave on Proxmox if I described my setup and how I’m using macOS.
Proxmox hardware specs
- Motherboard: Asrock EP2C602
- RAM: 64GB
- CPU: 2 x Intel E5-2670 for a total of 16 cores / 32 threads
- Samsung 950 Pro 512GB NVMe SSD for macOS
- 30TB of spinning disks in various ZFS configurations
- 1TB SATA SSD for Proxmox’s root device
- EVGA GeForce GTX 1060 6GB
- EVGA GeForce GTX 750 Ti
- AMD Radeon R9 280X (HD 7970 / Tahiti XTL)
- 2x onboard Intel C600 USB 2 controllers
- Inateck USB 3 PCIe card (Fresco Logic FL1100 chipset)
- 2x onboard Intel 82574L gigabit network ports
- Lian Li PC-X2000F full tower (sadly, long discontinued!)
- Lian Li EX-H35 HDD Hot Swap Module (to add 3 x 3.5″ drive bays into 3 of the 4 x 5.25″ drive mounts), with Lian Li BZ-503B filter door, and Lian Li BP3SATA hot swap backplane. Note that because of the sideways-mounted 5.25″ design on this case, the door will fit flush with the left side of the case, while the unfiltered exhaust fan sits some 5-10mm proud of the right side of the case.
- CPU cooler
- 2 x Noctua NH-U14S coolers
- EVGA SuperNOVA 750 G2 750W
My Proxmox machine is my desktop computer, so I pass most of this hardware straight through to the macOS Mojave VM that I use as my daily-driver machine. I pass through both USB 2 controllers, the USB 3 controller, the NVMe SSD, and one of the gigabit network ports, plus the R9 280X graphics card.
Continue reading My macOS Mojave / Proxmox setup
I just got stuck on a CloudFormation gotcha for an hour. I was trying to add an access policy to an SQS queue to allow SNS to post messages to it, but it gave this error:
An error occurred: myQueue – Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue).
Continue reading AWS CloudFormation YAML gotcha
This tutorial was updated on 2019-06-05 to fetch the installer directly from Apple’s servers instead of getting it from the app store
This tutorial for installing macOS Mojave has been adapted for Proxmox 5.4 from Kholia’s GitHub project for installing into vanilla KVM. There is more documentation there which will help out with enabling extra features and diagnosing problems!
I’ll assume you already have Proxmox 5.4 installed. You also need a real Mac available in order to fetch the OSK key.
Your Proxmox host computer’s CPU must support SSE 4.2, so for Intel your CPU must be at least as new as Nehalem, which was the first CPU generation to bear the “Core” i5/i7 branding. Older CPUs will cause the finder to repeatedly crash after installation completes (with an Illegal Instruction exception in the graphics code).
Apparently modern AMD CPUs also support SSE 4.2 and can be used with this guide without any modification (maybe Bulldozer and certainly Ryzen), but I haven’t tested this myself.
Continue reading Installing macOS Mojave 10.14 on Proxmox 5.4
Proxmox 5.1’s version of the OVMF firmware introduces two commits (2ac1730 and 147fd35) that are intended to mark the pagetables as read-only during startup. This conflicts with the OsxAptioFixDrv drivers in Clover, which expect to be able to modify the pagetables to remap memory:
I’ve patched OVMF to revert the effect of these two commits, which allows macOS to boot again (I also tested it by booting Windows 10, which worked fine). If you just want to download the fixed .deb, skip to the end of the article, otherwise if you want to build it yourself, follow along with the instructions in the next section:
Continue reading Patch OVMF to support macOS in Proxmox 5.1+
With the final release of Mojave, this tutorial is now out of date, see the new tutorial for installing Mojave instead!
This tutorial for installing macOS Sierra has been adapted for Proxmox 5 from Kholia’s GitHub project for installing into vanilla KVM. There is more documentation there which will help out with enabling extra features and diagnosing problems!
I’ll assume you already have Proxmox 5.1 installed. You also need a real Mac available in order to download High Sierra from the App Store and build the installation ISO. Your Proxmox host computer must have an Intel CPU at least as new as Penryn (I believe you would need a a custom Mac kernel in order to use an AMD CPU). Continue reading Installing macOS High Sierra on Proxmox 5
When emulating macOS on Proxmox, it seems that we are forced to set the guest’s CPU type to “Penryn”. This is a very old architecture, and is missing some features that could unlock higher CPU performance. In particular, I wanted to use AVX (for accelerated stream processing) and AES-NI (for encryption), but macOS panics on boot if I set the CPU to Sandy Bridge, which would match my CPU which includes those features.
Luckily, kholia over at the OSX-KVM project has discovered that we can keep using Penryn, but enable the passthrough of individual advanced CPU features and have Sierra use them, even though Penryn never supported these features.
Continue reading Passthrough of advanced CPU features for macOS [High] Sierra guests
macOS 10.13 High Sierra has finally been released, and the good news is that it works with Proxmox 5!
Here’s how I upgraded my Proxmox 5 Sierra installation, which has been previously updated to use Clover/UEFI boot and is stored on a passthrough NVMe SSD. Your setup may differ and your upgrade steps may need to change. I doubt these instructions would work for enoch/chameleon boot.
Take a snapshot of Sierra
I cannot stress this enough! If your filesystem gets completely trashed by the installer, you really need to be able to roll it back to a snapshot!
Continue reading Upgrading a Proxmox 5 macOS Sierra guest to High Sierra
After reinstalling Mac OS Sierra, I found that Chrome could no longer use my HTTPS client certificates. Instead, after choosing my certificate from Chrome’s pop-up certificate picking menu, I just got a fatal “ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED” error. The HTTPS client certificates worked fine in Safari, so it seemed to be a Chrome-specific problem.
I was able to fix this by opening the Keychain Access program, right-clicking my HTTPS private key and selecting Get Info, then on the Access Control tab I changed it from “allow all applications to use this item” to “confirm before allowing access”. The next time I tried to view the website in Chrome, Mac OS popped up to confirm that I wanted to allow it to use the key, and it worked perfectly after clicking Allow! I guess the Keychain’s application permissions got messed up at some point, and this reset it.
I wanted to emulate MIPS guests on my Proxmox hypervisor so that I could do some security research on router firmware. Unfortunately, Proxmox has customised some of the QEMU packages and their dependencies, which makes it difficult to install the standard Debian
qemu-system-mips package. In particular, Proxmox provides its own
pve-libspice-server1 package which conflicts with the
libspice-server1 package that vanilla QEMU depends on, so attempting to install it will complain:
Some packages could not be installed.
The following packages have unmet dependencies:
qemu-system-mips : Depends: libspice-server1 (>= 0.12.5)
To solve this, we need to build a modified version of the package from source.
Continue reading Emulating MIPS guests in Proxmox 5
After seeing this arbitrary command execution vulnerability in Ubiquiti equipment, discovered by SEC Consult, I was intrigued. In that bug, code that would have been secure on a more recent version of PHP was rendered vulnerable because of the ancient PHP version used (2.0.1, which is nearly 20 years old). I wanted to see what other bugs might be caused by PHP that works in unexpected ways.
My friend owns a “NanoBeam AC” running firmware WA_v8.0.1, so I downloaded that firmware from Ubiquiti’s website and unpacked it with binwalk. I found a bunch of PHP scripts, a custom patched PHP 2.0.1 binary, and a custom patched Lighttpd server which handles session management and serves the files.
Continue reading Login bypass in Ubiquiti airMAX/airOS before 8.0.2, 7.2.5, 6.0.2, 5.6.15 if airControl web-UI was used