I haven’t seen that NS8 has a hotsync feature as NS7 does. Has there been thought toward developing one? It seems to me (definitely not much of a dev) that the clustering should make it easier–join the “hotsync target” system to a cluster, and you already have integrated management of the leader and other nodes. Obviously some work would have too be done to sync the modules/apps and their data between the two systems, but it kind of seems like the basic architecture is already present in the clustering system.
Any thoughts on this, or is it already being addressed in a different way?
There is work being done on a full AD - meaning replication between AD-Servers.
This was the “main” use of Hotsync (Mail can be done with IMAPsync).
But still work in progress, maybe by NS 8.1, maybe sooner.
That’s kind of a surprise to me, maybe because I’ve never used AD. But no, mail across all accounts on the server can’t be done using IMAPsync. Neither can Nextcloud. Neither can any other web content, database, or anything else.
You still need to change the DNS - for ANY of these solutions for that to work!
Only if Hotsync is at the same site and same IP range - and NS7 was your DNS server, did it have a “chance” at working.
And even with daily / hourly syncs, there is / was a security hole where one or several Windows boxes would NOT be able to access the Domain (Or Mail, for that matter!) after switching to he HotSync server - a timing / race condition issue which a synched AD does not have!
Namely then if the Windows box changed it’s AD Password (It does that once in a while, and it can’t be controlled when exactly) just before the AD barfed (And get’s switched over to the HotSync). The box uses a newer AD password (For the host, not the user), and is locked out of the Domain and any AD authentification - even if the users password is correct.
→ This issue can also happen if restoring an AD from Backup (Why enterprises often don’t even consider this solution and use several ADs) - Some hosts will have changed the AD Password of the host and have to be manually removed from the Domain, rebooted, re-added to the Domain (Sometimes entailing cleaning out an AD entry!) and rebooted again…
On the other hand, with correct DNS entries internally and externally, Full Mail HA / GroupWare is possible. Using IMAPsync, NextCloud or whatever!
Most SME will only use AD, as LDAP doesn’t allow for authenticated shares on NS7.
You only get a generic share for everyone -at the security level of Windows95, which is dead now for nearly 30 years and a BIG security hole!
Home Shares are not possible.
This is also Illegal in EU, the home country of NethServer is Italy, an EU country!
In this sense, AD provides a conceptionally generally higher security than any LDAP, as AD uses two parallel systems for Authentification (Host and User must have valid AD credentials), and the host credential system can’t really be influenced. (You can’t change or verify the hosts Password, or even check when it was change without a lot of work!).
LDAP doesn’t check any host credentials a all!
I do emphasize “conceptionally”, Microsoft’s implementation of their own concepts is more than lacking, as time has proved time over time. And AD is over 20 years old!!!
Yes, it does. Hotsync syncs all the data, ever 15 minutes (not quite “real time”, but close enough for most purposes). Yes, you’ll need to update DNS if the primary server dies, and you’ll need to run a command to “promote” the target to “master,” but that’s it–under NS7 with its current hotsync feature, assuming it all works properly (and it’s pretty fragile).
…and if you care about having NS as your file server, this may be important. Lots of us don’t. That’s IMO a poor design decision in NS7 (don’t know if it’s carried forward to NS8), but it’s a moot point for me as I don’t use NS as a file server–that’s what TrueNAS is for.
The hotsync I have in mind would presumably include AD, but (like the one with NS7) not be limited to AD.
ONLY, but really ONLY if at the same site and IP range.
As this is not possible for hosted evironments in the cloud, it won’t work in the cloud with MASSIVE changes after promoting!
Modifing the MAC Adress of a host is highly frowned upon in hosted environments!
HotSync will also not work “out of the box” in a multisite environment, as site 2 would use a different, local DNS server.
→ And that’s what HotSync does.
That sounds more like a paid-for ad from TrueNAS!
To be precise, that’s what the company intends people to think. Not more, not less.
I do not see anything about the company iXsystems or TrueNAS (Scale, Core or Enterprise) anywhere in any RFCs or any “Best Practices”, except those by TrueNAS diehards.
Storage is, per se, generic and not company specific. Even the used file systems are generic.
I actually support and find TrueNAS systems well - but storage is a “commodity”. And a commodity is interchangeable.
Good as it is, even TrueNAS has, as almost any known system, simple file locking issues.
CIFS (Windows Network File System) and NFS (As eg the earlier NetATalk for Apple) are essentially “file shareing” systems for sharing files over the network, like most enterprises, organisations and even private people do, since the advent of networking.
However, both do not share the “lock” file, eg when a file is being edited.
So if a file is edited using CIFS, it’s not locked for any NFS user - file corruption or wrong version conflicts loom.
AFAIK, the only system which included a consistant locking system for all three systems (Windows CIFS, UNIX/Linux NFS, Mac AFP) was the old Novell Netware using eDirecxtory and the Novell Filing System.
This still exists, but now on Linux from the guys who bought over the leftovers from Novell.
NS7 was designed as a SME Server, based on Microsofts Small Business Server.
One Server for all duties, including firewall, storage, file, print and mail / groupware.
I personally never liked having the firewall as part of the whole, so always implemented a seperate firewall.
And Backup done on the same box - a USB Disk connected to a server, as NethServer intended it’s backups in the past, is not a good place for a backup, as it’s “on” the same hardware. A power surge can also fry a connected USB…
As a “Old School” IT guy, Mainframes used a different host for backups, same as in DOS…
I’ll remember that, when you complain about losing that very important one mail, a shipping brief or whatever, worth alone 10 mil !!!
Your own employer, the US state - especially the SEC - implements hefty fines for “lost data” when dealing with any US exchange…
Hardly paid-for, but a more accurate statement would be “that’s what I use TrueNAS for.” My NS install is in a VPS on your continent (but will be moving to NA as I migrate to NS8), which isn’t very conducive to use as a file server. But certainly there are plenty of options for a Samba server, many of which (unlike NS7, and apparently unlike NS8) can implement multiple user permissions without a full Active Directory environment. But the discussion of AD is very far afield of what I’m asking about, and your posts make it sound like you just aren’t very familiar with what hotsync does in NS7.
Hotsync copies all the data–users, email, databases, web content, ibays, etc.–from one NS7 instance to another, every 15 minutes. If/when the first dies, you promote the second to master. What else you have to do depends on your environment:
If both master and slave are bare metal on the same network (or, I suppose, VMs on different hosts on the same network), nothing–the new master picks up the old master’s IP address, and everything continues as it was before, with the possible loss of just under 15 minutes’ worth of data
If master and slave are on different public networks (e.g., one or the other–or perhaps both–are on public VPS providers), you’ll need to change appropriate DNS records (if you’ve set them up properly, you’ll only need to change one, as everything else will be a CNAME) to point to the IP of the old slave/new master machine, and set the WAN IP on the old slave/new master to match the IP assigned by the hosting provider for that machine. These are hardly “MASSIVE changes.”
No, this isn’t real-time data sync. It’d be great if it were, and if it were possible to set up NS8 hotsync in such a way that it were so much the better, but “every 15 minutes” is acceptable IMO. It might not suffice for publicly-traded companies (the ones that are regulated by the SEC you decided for some reason to mention), but those aren’t the SMEs this project targets.
I have zero Fs to give about AD. I don’t use it, I don’t want it, and it appears I can’t migrate to it even if I wanted to (and I don’t see any reason to want to). I have no idea why you mentioned it, because it’s at best only tangentially related to what “hotsync” does in a Nethserver context. The “hotsync” I’m asking for is what I described above, or something like it. A full primary/backup domain controller arrangement might be a good thing, but has nothing to do with what Nethserver has been calling “hotsync.”
I know that, Dan, and I’m not insinuating you are getting any cash from iX systems. As said, I find them / their products on the positive side of things, probably just as you do.
But where safety and security are concerned, I am rather demanding - and when a laywer makes such statements, my alarm bells start to ring.
I do plan my own setups at home, but my job is to advice and setup / maintain systems for clients, and this in accordance with best practices and - where possible - open source.
I do have some doctors practices as clients, and more than one are cardio (heart) specialists. In such cases, a loss of data, even if only historical data, can entail a risk for a patients life, a risk I’m not prepared to take under any circumstances.
I am quite familiar to what it can, and what it can’t do.
I use it for some clients, for others I’m better off with Proxmox disaster recovery options (faster!).
15 Mins can be too much / long!
Fully agree.
And it’s not HA, but better than nothing.
However, a full primary/backup domain controller arrangement doesn’t exist any more as such. This was the NT, pre-AD concept.
Now AD is more “primus inter pares”, the prime among equals. One can be demoted, another promoted.
A BDC could be promoted, but remained a BDS in some records in the NT database (Pre AD times).
Some people do Backups, using whatever is available.
I use the systems options for Backup (eg NethServer Backup)
I also use Proxmox options for Backup. PBS & NAS (both!) All hosts except for Hypervisors and Storage are VMs.
But I also rsync the data, based on my own code with weekly generations to a NAS.
And all above also offsite, just in case…
I do admit knowing the times every signal bulb on a airplane (Yes, pre LED times!) had three filaments, just for redundancy reasons. A pilot had to know for sure that the wheels were out before landing - you can’t just get out and check!
I am aware of a lot of the issues and reasons here in the Forum for doing things the way they are done, even if far from best practices, but it worked on NS7. NS8 is a different animal, but right now, NS8 is not far from NS7 just after release. Docu incomplete, a lot on NS6 still not available as modules, whatever.
Yet NS7 riped just fine, as I hope NS8 will.
I do think HotSync will appear - but it probably will only be available when most available (all?) moduls in NS7 are available for migration.
IT safety / security is and always has been a big issue for me, and in this sense I often act the advocat diabolis…
Law is / can be very lenient - or very, very stringent. IT can be very unforgiving, gone is gone and fried is fried.
