Doubts about NS8

Hi all,

From: Design & Architecture | NS8 dev manual

Goals

• easy and effective data backup and restore

Very, but very, far away compared to NetServer-7.x
Only in the Cloud => you have confidence in the Cloud ?
Restoration of a simple file ?

• prepare a machine in a lab, deploy at customer’s office

Good luck with that and only if the internet has access to the server in the lab for Let’s Encrypt Certificates…
No acme.sh for LOCAL server.

Assumptions

• containers are the new standard

Unix was the standard for a long time, where is it now ?
Motorola 68000 32 bits was the standard in microprocessors, where is it now ?
Digital Equipment Corporation PDP-11 was the standard for quite some time, where is it now?
Novell Netware with almost 75% of market was THE standard, where is it now?
Centos was the standard for a long time, where is it now ?
Docker was the standard for containers, where is it going now ?
Windows is the standard OS - does it make it a good OS choice for all applications ?

• NS8 is designed for small and medium business, with limited resources.

I cannot imagine a small business admin trying to understand NS8 complexity…

• built for cheap hardware or entry-level Virtual Private Server (VPS)

It doesn’t work well on VirtualBox-7 => with app installtion, it generates connection errors, even with 4 CPUS and 20 GB RAM

Design choices

List of things considered almost stable, with or without an existing prototype implementation:

• Centralized certificate management

" Let’s Encrypt certificates are automatically exported to Redis upon request and renewal. Certificates are saved under an hash named /module/traefik/certificate/ key, i.e /module/traefik1/certificate/server.nethserver.org. The certificate is saved inside the cert field, while the key is saved inside the key field."

Not for imported Let’s Encrypt certificate. They are considered “custom”

root@ns8:~# ls -als /home/traefik1/.config/state/custom_certificates/
total 24
4 drwxr-xr-x 2 traefik1 traefik1 4096 26 jui 13:34 .
4 drwxr-xr-x 5 traefik1 traefik1 4096  5 oct 12:32 ..
4 -rw-r--r-- 1 traefik1 traefik1 4025 26 jui 13:34 debian.toto-dev.org.crt
4 -rw-r--r-- 1 traefik1 traefik1 1704 26 jui 13:34 debian.toto-dev.org.key
4 -rw-r--r-- 1 traefik1 traefik1 3721 26 jui 13:34 mail.debian.toto-dev.org.crt
4 -rw-r--r-- 1 traefik1 traefik1 1708 26 jui 13:34 mail.debian.toto-dev.org.key
root@ns8:~#

No acme.sh for LOCAL server.

• considered almost stable

For sure you can say “almost stable” for Roundcubemail and Webtop…

One thing is working “not so bad” is Nginx/MariaDB and even there, when you create a new Virtual host, the first one created disappeares from the UI.
For MariaDB, lucky to have phpMyAdmin to create the user with the % to be able to access it from outside.
The funny way to define “Database hostname:port” as define( 'DB_HOST', 'toto-dev.org:20010' );

• other applications

How can I install an application which is not on the list i.e. Jitsi. I have to create a container ?

• Documentation

Not up to date, not so detailled, spread all over the place(s) // lot in github not in the admin/dev manuals.

• Supported OS

It looks like the focus is on Rocky - will it falls as Centos ?
I prefer Debian as it will be there and LIBRE forever.

My main reasons to choose NS8 are:

• Let’s Encrypt certificate

No way yet if you are on a lab LAN server.
No acme.sh for LOCAL server.
An imported LE certificate is considered a “Custom” one.

• MAIL

Not there yet.

• Webserver

Still some error as written above: “when you create a new Virtual host, the first one created disappeares from the UI”.

• Port forwarding

I cannot find it in the UI.

• Community

Luckily, we have a fantastic forum

June 2024 is not far…

Doubts begin to germinate and invade me about NS8.

Michel-André

NS8 does not contain a full firewall, why should there be ANY Port-Forwarding?

Not sensible to me?

My 2 cents
Andy

Hi @Andy_Wismer

To forward to my téléphone.

1	TCP,UDP	5004	Hôte ht-502	5004	Tout	-	Port RTP local	
2	TCP,UDP	5060	Hôte ht-502	5060	Tout	-	Port SIP local

Michel-André

Hi @michelandre

As said, port forwarding is a task for a firewall, not for a generic server. NS7 had a firewall included, but not NS8 (yet) - the NethSecurity stuff is not really a part of NS8…

A server does not need any port forwardings.

My 2 cents
Andy

Hi @Andy_Wismer

Then explain how I can do it.

Michel-André

@michelandre

I use mostly OPNsense as firewall, only ever had one NethServer running with firewall in the cloud for testing. That can handle ANY port-forwarding needs with ease!

As said, set this on your firewall (Provider Modem is often also a firewall!). I doubt you do not have any box between your NS8 and the Internet.
Just because NS7 had a firewall, and NS8 does not, does not mean you must cast aside any basic precautions!
Besides which, NS8 is still in Beta…

I will continue using OPNsense firewalls, this works well, no matter if NS7 or NS8…

My 2 cents
Andy

Hi @Andy_Wismer

My doubts just went up a liitle bit more.

Michel-André

@michelandre

Speaking for myself, II’m glad NS8 doesn’t contain a full firewall…

I have one which works!

And: It will never block my Internet access due to a non-related problem!

My 2 cents
Andy

Besides the doubts of michelandre - let me ask: do you still want NS8 to be a classical SME distro? Someone of the devs did already point out - NO.

I confess - I don’t get the whole concept of NS8. The argument was to be independent of an underlying OS. Okay got this - but IMVHO the settled horse is still RH with podman. I do not see any independence. The whole container concept is based on RH and podman? Where on heavens earth is the independence? And any change will hit not only one app. It will hit the whole concept - meaning the server - of NS8. One fingersnip from RH (what they already did in the past) and the concept of NS8 could be heavy under pressure. Now what?

All what I see right now is upgrading from NS7 and following this path is a step far away from SME. Originally the MITEL idea. I see the same dependencies to RH (call it Rocky or any other RH based distro, so whatever) as before. Even more. Where is the goal? And it’ll be much more difficult to migrate to any other linux distro. Just in a case nobody wants or knows.

In example and in addition to the above - following the idea to shift backups/data in a S3 cloud. Not everybody wants to follow the AWS ideas/protocol. Let me ask: “qui bono?” I guess cloud providers at first.

Not everybody has a fast internet connection. Maybe there are legal restrictions. Perhaps I don’t want to register for tons of certs. Maybe I want to stay as private as possible. Maybe I want to be as good as possible offline. I don’t know how big a usual backup for a SME is. Let’s assume it’s > 150 GB. How long would the initial backup run? And even more interesting - how long would it take to restore? Hey, how about a few TB’s?

Another (maybe more philosophical) point of view for me is, why should we shift more and more data in clouds? This means the world will need more and more energy for data centers. Quite already a lot today and, thanks also to clouds, growing day-by-day VERY fast. Email, social networks, IOT, smart city, cars, househelds, …everything? Where is the real benefit? Is it really necessary? How about sustainability? The only thing I see is dependencies. You’re loosing control. Just in case the internet is down.

If this is going to be the so called state of art, I do see dependencies arising which I am not willing to insure nor to maintain. At least I’m not a fulltime sysadmin. The companies are too small to pay for this overhead.

Therefore, and speaking for myself, I can’t upgrade to NS8.

Hi @schulzstefan

Reading your reply, my doubts just went up quite a bit more.

Michel-André

Hi @michelandre,

NS8 is still in testing. A lot can be changed. But looking close to arguments (easy, small to medium enterprises, security, independence, flexibility, cloud, container and kubernetes are the future, …) I for myself can’t see proof right now.

The practical way is to test, test and test. And I suggest even to test more. Register for certs, clouds, buy S3 ready drives, install containers, delete them, back’em up, restore (whole server, container) or only one file, and so on. Move data to another (linux) system. Try all as good as you can. At least NS7 is still a benchmark for SME servers. So there’s still a chance.

Besides some serious fundamental considerations.

Stefan Martin

Hi @schulzstefan,

A bit of history.

From: Peter Samuel Peter.Samuel@xxxxxxxx.xxx
Date: Monday February 9, 2004, at 11:33:23 PM (MST)

If I remember my history correctly this SME project came out of a need to
provide a cheap quality solution for IT services during the East Timor
independance.

You are mistaken. The e-smith Server & Gateway (now known as SME
Server) was the brain child of Joe Morrison. He founded e-smith inc.
Joe released his original code in the late 1990s (1999 if I remember
correctly). Charlie Brady saw it and realised it would be a good fit as
a server platform for various charitable and non-profit organisations to
which he was donating his time and services (along with others including
Gordon Rowell and myself). One of these charities was Community Aid
Abroad (the Australian arm of Oxfam). The e-smith Server and Gateway
was deployed in their Sydney office (replacing a previous Linux system
maintained by Charlie, Gordon and myself as well as CAA staff). CAA was
also working in East Timor and a version of the e-smith Server & Gateway
was deployed in their East Timor site (with a number of modifications
to support satellite modems and UUCP mail transport[1]). During this
time, Charlie and Gordon made contributions, modifications and bug
fixes available to Joe. Gordon and I deployed the software in other
commercial sites and CAA began rolling it out into their other offices
across Australia. Joe was building up a strong customer base from
Ottawa. Eventually, Joe was able to secure venture captial funding and
began employing staff in early 2000. The company known as e-smith,
inc was acquired by Mitel Networks in June 2001. The name of the product
was changed to SME Server (it had other names during the transition but
that’s not really important here). A new revenue model was adopted[2]
(ServiceLink) and over the next 2 years the focus/direction of the
commercial product changed to incorporate more telephony features (Mitel
is in the telephone business after all). In late 2003, Mitel decided
to cease further commercial development of the product and transferred
control of the GPL community infrastructure (the forums and lists etc)
to the “devinfo” community.

Obviously this is a much abbreviated history. It may contain a couple
of time line errors, but the information is factually correct to the
best of my recollections.

Imagine the number of people, time, efforts, coding, developments, tests, etc… it took to create that benchmark for SME servers and bring it to where it is today: NethServer-7.9.

I started using SME Server around 2003 and switched to NethServer in December 2018.

Michel-André

The fact that it runs just as well on Debian doesn’t count as independence?

Or, you know, you–Beta2 does now support backing up to any S3-compatible provider, which can be you using Minio. There’s no need to involve any third party if you don’t want to. But yes, you are still using that protocol if that bothers you.

Agree that cert management should support wildcard certs, which would mean supporting DNS validation. But, of course, this isn’t present in NS7 either, so you wouldn’t be losing anything in this regard.

Both of these would depend almost entirely on the available bandwidth between the server and its backup host–these questions can’t be meaningfully answered, as you surely know. But how is this different from NS7? Yes, it’s using a different protocol. So what? In what meaningful way does that affect any of these things?

Nobody’s saying you have to; this is apparently based on your incorrect assumption that S3-compatible backup means you must use a cloud provider.

Honestly, this reminds me of your objections here: Container security on NS8. Like in that topic, you’re being very vague about your concerns, and where you are being specific, you’re largely incorrect. So I’ll ask you again, as I and others asked you there: what, specifically, are your concerns? And in what way do you think that things are worse under NS8 than under NS7? Or, if you don’t think NS7 is a valid comparison, what are you comparing it to, and why do you think that’s a more valid comparison?

This isn’t about me being a NS8 fanboi; there are lots of things I’m unsure about myself. But most of these objections just seem, frankly, silly, if not bordering on FUD.

I started in 2000 with Mitel. For my SME. Good decision in this time and NS7 is still a good decision right now.

It does. But podman relays on RH. So the whole idea is a dependency of RH, and also the distro’s which use podman. Alter/change anything in podman and the whole server NS8 is in trouble. I’m not talking about one single app, like it could be in NS7. Or in a traditional (not containerized, or perhaps better using docker? YES - I know the pros and cons) debian server. Isn’t it?

Wait a moment, do I get this right? I’m able to plug my 3TB USB drive (or spare harddrive) in and backup? That’s it? Because this is exactly what I do today and this is the way I’d like to have it in future.

I’m backing up local. Bandwith does not matter. Internet neither. AFAIK the S3 protocol is not open source.

I understood, that for a backup a S3 compatible drive is needed. Right? What reason for? Why not using a spare harddrive? Or simple USB-disk. Plug in and backup/restore. You tell me.

Maybe there’s a misunderstanding. IMVHO I don’t see any improvement with a container structure in security. Assuming the server setup is correct and up-to-date. For small business and part time admins I see more a question of overwhelming due to complexity.

Please tell me about the argument of security risks. I already asked about ransomeware. Which for me today is one of the highest risks for a company. In this forum I was told containerization could not help. Even one more important argument for easy backup and restore. I wrote about the daily/weekly routine checking your server. Now, please you tell me about your practical security concerns which are in NS8 safer as ever before. Right now, I don’t have one. I feel the technical security argument/discussion is more theoretical.

Security is not only from a technical view. To me security means also beeing able to control and maintain your IT. Right now I don’t see that I’m able to deal with NS8 in this whole complexity. Mostly every company needs IT. A long time ago I decided for the structure behind the workstations is to stay with linux. Til today I am (with help from the communities and some literature) able to maintain my network and IT for myself. I don’t want to change this. We’re not living from IT. We just need it. That’s all.

Where have I been largely incorrect? Maybe I did not understand - but I do always try to be correct. You and everybody else may always show me the light and correct me. I appreciate to learn.

Not vague, eh? Why not being more precise?

Comparing NS7 vs NS8? In what way things are getting worse comparing NS7 to NS8? Did you read my post(s) above?

• no more SME (for me)
• this is the very first distro I’m not able to test out of the box. Even OS/2 from IBM was easier to test
• too complex in various ways (you’d probably saying - there! he’s vague AGAIN. I started early to test NS8. Of course with ONLY my needs. I started to share in the forum my experiences while installing/testing. I wrote in this forum what I expect from a SME server/distro. Why should I test things I don’t need?)
• for me no really practical improvement vs NS7 (I can’t see one right now)
• a lot more dependencies as before
• no easy local backup and restore

Again - I really appreciate the work of the devs. I don’t want to offend anyone. Neither I want to influence anybody.

This is based on my personal tests, reflections and observations, and are only needs for my IT.

@schulzstefan

All this will still run on Debian (My favorite, I don’t trust Rocky, Alma, Oracle nor RH!)., even if RH / IBM pulls the plug.

If using a real hypervisor underneath, like Proxmox PVE with PBS for Backups, all these arguments become moot…

Disaster Recovery, or single file / folders, a matter of minutes. (On almost any hardware!).

Using decent hardware for storing TBs, not as long as you might imagine, maybe a LOT faster!

No matter if using NS7 or NS8, you’re still free to implement and use a private cloud, running on your own hardware and on your own network(s). Never heard of interconnected buildings belonging to a single company?
I’ve worked for clients with several buildings, all wired with Fiber, and as Backup a dedicated Wireless (Richtfunk) with automatic failover. All buildings had their individual Internet connections, and firewalls to protect everything, all configs synched to the central site.

To be honest, I have great difficulty believing you as a german still use a horse based transport, instead of the well known (good) german cars (Good does NOT include the Trabbi)! I even doubt you have an emergency backup hookup for using real "horse power " on your car…

Can a real “car mechanic” repair your car, or does he need a laptop with the right software and expensive Interface?

What if you bring in your car for service, and Internet happens to be “down” in that town at the moment? I do read that Germany is having great doubts in their own Infrastructure… The federal railways are even competing with Mexico for the most delayed trains in the world!

A smalll side kick from your southern neighbor, Switzerland, which still has punctual trains (97%!).

In the english language, can’t and won’t are two similiar sounding phrases, but the implied meaning can differentiate a great bit!

Can’t implies that the capabilities aren’t available, wheras won’t implies that you do not want to, for whatever reasons!

→ Think the difference between “Kann nicht” and “will nicht”, even in german the same differences…

@michelandre

Yes, NS8 is still in Beta!
Rome wasn’t built in a day, as the proverb goes!

This proverb is more than fitting, as Nethesis, the company behind NethServer (NS8) is an Italian Company, and the historic and beautiful City of Rome is the capital of Italy.

And believe it or not - they are still building in Rome, like in any other inhabited city, town or village worldwide!

Yes, a lot of the polish is still missing, it still looks more like a common pebble, than a potential diamond!

Local Backups, very important for SMEs, still fail due to SSL certificates…

But there’s still time til RC or Final, and I do hope for the best!
We do have some good devs on the team!

My 2 cents
Andy

I’m not a fan of backups on the same system as the data you’re backing up, but you could still do this–install Minio, set its storage to be on that hard drive, and then back up to your Minio installation.

There’s an open-source implementation of it, Minio–it’s AGPL3. Which is available in the NS8 software center, and also as an available storage protocol in TrueNAS. I expect it’s also present in other NASs, but haven’t checked.

Or Backblaze, or MS Azure.

All I can do is guess, but my guess would be that the devs feel the same way I do about local backups, which is to say that they’re pretty much useless. But again, if you want to, you should be able to do it using Minio as I’ve described above.

So your concern isn’t that NS8 is less secure than NS7, just that it isn’t more secure? I don’t think I’d agree with that either, but that is a different concern than I’d understood you to have.

Do you think such admins understood the ins and outs of everything in NS7, but will be unable to do so in NS8? I really don’t believe that’s the case. I suspect that for most NS7 users, as for most SME users, as for most e-smith users before that, the server is a black box–they interact with it through the web UI, and possibly with a few CLI commands copied and pasted from a guide somewhere, but with minimal, if any, understanding of how things work under the hood. That is, after all, how it’s been marketed for well over 20 years.

No, I don’t expect it would. So your complaint here is that NS8 doesn’t protect against something that NS7 also doesn’t protect against?

Containers do isolate one application from another, which objectively increases security compared to a system like NS7. How much importance you assign to that particular increase in security is, I suppose, up to you.

In your repeated assertion that NS8 depends on cloud services, for one. Though I’ll admit I hadn’t considered local backups.

…which is the same as “no more SME,” which boils down to “you don’t feel you sufficiently understand how it works.” Which I guess is fair enough, but surely you didn’t understand how everything worked under the hood in NS7/NS6/SME/wherever you started with this ecosystem. I don’t doubt, if you choose to, you can reach a sufficient level of understanding with NS8.

…in its current beta stage.

Not being based on an EOL OS isn’t a practical improvement?

I don’t really think there are. It depends on podman, of course. And yes, that’s a RH project, but it’s pretty widely used and it’s open-source–if RH were to close the source (which they haven’t yet done with anything else), it could be forked by any other interested party.

As above, I don’t put much value on this, but to each his own. I don’t know the devs’ reason for not including it; if they’re using restic as I think I saw mentioned, it doesn’t seem it should be hard to add.

Hi all,

I know that NS8 can run on different OS like Debian, Rocky, etc.

Correct me if I’m wrong, but the core of NS8 is running on Alma ?

I agree with you, but June 2024 is not so far away to develop/test/fix everything in NS8 and mainly, come with a full detailed documentation…

Think about how long it took to get from 6 to 7 to 7.9 while using the same structure. It will be faster using a different one ?

As written above, SME/Nethserver took several years to arrive where it is now.
You think the dev team, as many and as good as they can be, will acheive the same quality in just a few months ?

Michel-André

@danb35

I’m refering to this, when talking about S3:

So much for “hardcoding” options into the config when they’re not supported from the outset!

My 2 cents
Andy

full detailed documentation

According to Microsoft, in a statement to court, the latest and most valid documentation on the CIFs protocoll, also known as SMB (Server mounted Block) or other names, in the Linux World implemented by the Samba Team s Samba (Andrew Tridgell’s brilliant creation!). MS had to admit that due to personell fluctuations, the documentation was “somewhat incomplete”, and the most relevant version is the current source code (Also NOT publically available!)…

Yet it is the most used network file system by far!

I’d be satisfied if the docs are on a level par with NS7 at introduction!
And that was VERY flakey, as you recall!