On May 21, 2026, Proxmox Server Solutions released Proxmox VE 9.2 — the second minor release of the 9.x line and the most substantial update since the 9.0 jump in summer 2025. The headline features: a true dynamic load balancer for HA clusters, WireGuard as an encrypted SDN fabric protocol, Ceph Tentacle 20.2 as the new default and the move to Linux Kernel 7.0. Plus more than fifty smaller improvements across the VM, container, storage and backup stack.
Technical Foundation
| Component | Version |
|---|---|
| Debian | Trixie 13.5 |
| Linux Kernel | 7.0 (new default) |
| QEMU | 11.0 |
| LXC | 7.0 |
| ZFS | 2.4 |
| Ceph | Tentacle 20.2.1 (default) — Squid 19.2.3 still available |
The Kernel 7.0 jump is bigger than the 6.17 step in 9.1 — refreshed driver stack, MBEC and GMET support for hardware virtualization branch targets, Spectre / VMScape hardening and reworked AppArmor paths.
The Five Big Highlights
1. Dynamic Load Balancer for the Cluster Resource Scheduler
The new Dynamic Load Balancer (DLB) is the biggest cluster feature since CRS rules were introduced. Until now, the CRS decided statically where an HA guest is started. Now the CRS monitors real-time metrics (CPU and memory pressure per node) and actively migrates HA guests when a node falls out of balance.
What this means in practice:
- No more manual live migrations after failover or load spikes
- Automatic rebalancing after maintenance reboots
- Configurable thresholds (hysteresis and cool-down so nothing “ping-pongs”)
2. HA Arm / Disarm for Planned Maintenance
Two new CRM commands — arm-ha and disarm-ha — fix a chronic pain point in the HA stack: planned maintenance without unwanted fencing.
ha-manager disarm-ha <node>
# … maintenance on the node …
ha-manager arm-ha <node>In the “disarmed” state the HA stack still detects temporary node outages but won’t fence. For rolling upgrades, firmware patches or network rework this is a real win — before, the only safe option was to stop the HA service entirely.
Important: A node must be armed again before a cluster upgrade, or HA resource migration must be complete — otherwise the HA manager can stall during the upgrade. Already addressed in 5.2.4+.
3. WireGuard as an SDN Fabric Protocol
SDN gets encrypted underlays. In addition to the existing OSPF and BGP fabrics, WireGuard is now available as a fabric protocol:
- Automatic key management between cluster nodes
- Encrypted node-to-node tunnels — ideal for multi-site clusters over public WAN or hosting providers without L2 connectivity
- BGP/EVPN fabric runs transparently on top
Add to that eBGP unnumbered underlay with per-ASN configuration per node, and OSPF route redistribution for connected, local, kernel and BGP routes.
4. BGP/EVPN Filtering with Route Maps and Prefix Lists
For everyone running SDN seriously in the data centre: fine-grained filtering lands natively in the Proxmox web UI. Route maps and prefix lists can be defined per fabric — perfect for multi-tenant setups where not every tenant should see all EVPN routes. Complemented by multi-EVPN controller support for inter-AS scenarios and IPv6 underlays for EVPN.
A new dry-run mode lets you validate SDN changes before going live — EVPN misconfigurations are notoriously hard to undo.
5. Ceph Tentacle 20.2 as the New Default
Fresh clusters default to Ceph Tentacle 20.2.1 from 9.2 onwards. Squid 19.2.3 remains available and continues to receive security patches. Tentacle brings:
- Improved RGW performance
- More stable OSD recovery in large clusters
- Consolidated telemetry and crash reporters
9.2 also fixes several Ceph-specific GUI bugs: the pool edit dialog replication size, incorrectly assigned monitor log owners on fresh clusters and more robust OSD creation when auth_client_required is missing from ceph.conf.
Virtual Machines (QEMU 11.0)
| Area | Improvement |
|---|---|
| Custom CPU Models | Custom CPU models can now be managed through the web UI — including cluster-wide compatibility indicators |
| TPM Snapshots | TPM state storage now also on storages with volume chains |
| VNC Clipboard | Live migration of the VNC clipboard (machine version 10.1+) |
| Intel TDX | Initial support for Trust Domain Extensions (confidential computing) |
| Nested-Virt Flag | Selective CPU feature exposure without the full host CPU type |
| OVMF Boot Menu | Boot menu now takes precedence over the firmware setup |
| UEFI 2023 Keys | New EFI disks ship with Microsoft UEFI CA 2023 keys |
| PCI Passthrough | Driver targeting for passthrough devices via the new driver option |
LXC 7.0 — Possibly the Biggest Container Jump in Years
LXC 7.0 is the main reason for the version bump:
- OCI image support for both system and application containers
- Per-mountpoint UID/GID mapping via the
idmapoption — the clean way to share volumes between containers with different user mappings - Per-mountpoint attribute inheritance via
keepattrs - cgroup v1 deprecation warnings — the final step before cgroup v1 support is removed
- OCI image
Userproperty enforcement - AF_ALG seccomp filtering — prevents a known privilege-escalation class in unprivileged containers (see PSA-2026-00018-1)
- systemd-networkd support for SUSE-based distros
- tmpfs mount at
/dev/shmfor application containers
Storage and Backup
- Shared LVM with qcow2 volumes: Size queries without activation — faster with many snapshots
- ZFS blocksize validation: 512 B to 16 MiB, power-of-two enforced — no more broken datasets from typos
- CIFS with Kerberos: Detection and native auth path
- PBS API tokens: Better name and realm validation
- Volume chains for thick LVM provisioning: Snapshots-as-volume-chains for classic LVM setups without thin pools
The guest selection dialog for backup jobs has been reworked (search, review toggle, selection counter), and the legacy parameters starttime / dow are deprecated — schedule is now the only officially supported way.
Security — Including Some Critical Patches
9.2 addresses several serious findings:
- PSA-2026-00014-1: VNC session hijacking and password guessing (VNC API clients may need adjustments)
- PSA-2026-00015-1: HA resource creation now requires the
Sys.Consoleprivilege - PSA-2026-00018-1: AF_ALG socket privilege escalation in containers
- Cloud-init password dump requires
VM.Config.Cloudinit - VM start after create/restore requires
VM.PowerMgmt
Plus kernel CVE backports (vblank timeout, vmalloc warnings, mpt3sas crashes, USB HID regression, ZFS cgroup OOM, AppArmor NULL deref) and patches for Crackarmor, copy.fail, DirtyFrag, Fragnesia, ssh-keysign-pwn and pintheft.
Installer and Auto-Installer
| Feature | Description |
|---|---|
| PXE/iPXE Auto-Install | New flags --pxe and --pxe-loader for ISO generation |
| HTTP Auth Token | Protect answer files via authentication |
| IPv6-only | SLAAC and Router Advertisement support |
| inspect-iso | New subcommand for ISO verification |
| subscription-key | Answer file property for automatic subscription activation |
| Post-hook | Data lands in /run/proxmox-installer/post-hook-data.json |
| Debug Shell | Ctrl-C opens a debug shell during installation |
GUI / UX
Many small improvements across the interface that pay off in daily use:
- Parallel worker count for all bulk actions (default:
auto) - Task viewer download without a popup
- Deep link fragments survive an OpenID login
- Snapshot and backup creation directly from the context menu
- Nested pool grouping in the resource view
- Architecture column in the resource store
- Mobile UI: firewall view, container network panels, OIDC redirect decoding
- Correct Europe/Kyiv time zone (IANA name)
- Bond without
bond-primarycan be created - CPU utilisation dashboard displays correct values again
Known Issues
- HA Disarm and upgrade: Cluster upgrade with a disarmed HA stack can hang — workaround: keep HA armed or wait for migration. Fixed in 5.2.4+.
- VNC API clients: Breaking change due to PSA-2026-00014-1 — review custom integrations.
- cgroup v1: Raw entries are deprecated. Anyone still maintaining old LXC configurations should migrate now — one of the next releases drops support.
- Legacy backup job parameters:
starttimeanddoware deprecated in favour ofschedule.
Support Timeline
| Version | Security updates until |
|---|---|
| Proxmox VE 8.4 | August 2026 |
| Proxmox VE 9.x | at least 2030 (along Debian Trixie LTS) |
iX/Proxmox is giving roughly one year of overlap between 8.4 updates and 9.x — enough time for most production clusters.
Upgrade Path
From 9.1 → 9.2: Standard update via apt update && apt full-upgrade from the enterprise (recommended) or no-subscription repo. The web-GUI-based update works as well.
From 8.4 → 9.2: First move to 8.4 with all current updates, then run pve8to9, then upgrade to 9.x — a direct jump from 8.4 to 9.2 is supported.
If you want to bring Tentacle to existing clusters: Squid stays the safe default for upgrades. Tentacle migration only on fresh pools or after thorough testing.
Conclusion
Proxmox VE 9.2 is not a maintenance release but a real feature update with two heavyweights: dynamic load balancing closes the last big gap to commercial hypervisors like vSphere DRS, and WireGuard SDN fabric makes multi-site clusters without a dedicated backbone practical. On top: Kernel 7.0, Ceph Tentacle and a grown-up LXC 7.0.
For existing 9.1 clusters this is a clear upgrade recommendation. If you are still on 8.4, plan the jump to 9.x now — the overlap phase ends in August 2026.
DATAZONE for Upgrade and Migration
We run Proxmox clusters from 3-node SMB setups to multi-site EVPN fabrics. Whether upgrade planning, Ceph migration to Tentacle, SDN design with WireGuard fabric or the move from VMware to Proxmox 9.2 — we advise vendor-neutrally. More on our Proxmox services or request a free consultation.
More on these topics:
More articles
Backup Strategy for SMBs: Proxmox PBS + TrueNAS as a Reliable Backup Solution
Backup strategy for SMBs with Proxmox PBS and TrueNAS: implement the 3-2-1 rule, PBS as primary backup target, TrueNAS replication as offsite copy, retention policies, and automated restore tests.
Proxmox Notification System: Matchers, Targets, SMTP, Gotify, and Webhooks
Configure the Proxmox notification system from PVE 8.1: matchers and targets, SMTP setup, Gotify integration, webhook targets, notification filters, and sendmail vs. new API.
Proxmox Cluster Network Design: Corosync, Migration, Storage, and Management
Design Proxmox cluster networks: Corosync ring, migration network, storage network for Ceph/iSCSI, management VLAN, bonding/LACP, and MTU 9000 — with example topologies.