How to migrate my 3 NS7 to NS8

Just got triggered by the Onlyoffice post for testing.

Made me wonder if I’d tried to migrate one of my NS7 servers with NC and onlyoffice if it would have failed and crashed everything unrecoverably.

Reading these forums over the months I can see gotcha after gotcha after gotcha for migrations.

I have a 3 NS7 environment, all interconnected.

I’m going to have to buy at minimum a new baremetal server because I don’t have near the resources to migrate 3 servers.

I’m going to have to re-architect my infra.

I didn’t get left behind, I got pushed off the cliff. :rofl: :thinking: :sob:

2 Likes

So sad!

@fasttech I see a path for an in-place upgrade, though am not sure how that’s going to work out, especially for apps not yet ported to ns8

1 Like

How’s currently your infra?

Like so…

Since Alessio asked for my infra but didn’t have a chance to respond though I tagged him once I finally had time to illustrate it, I’m interested in your opinion regarding my infra as illustrated roughly above.
According to what I’ve seen of your comments over the months, if I try to migrate NS 7.9 2c to a fresh NS8 install it’s going to s*"t the bed.
This is, of course problematic, particularly since you can see that 2d is dependent on 2c’s AD and of course, this is production.
So therefore, from your comments over the months, what I surmise I should do is create a fresh install of NS8, manually install Samba, manually configure Samba by copying over all the users, etc., by hand from 2c, (OMG) and then, before “migrating” Nextcloud, I need to disable the shares on 2d from the remote share function of Nextcloud, because those settings in Nextcloud apparently screw up the migration.
Then there’s the issue of the LE cert on 2c because of the Nextcloud OpenOffice app.
There’s also the issue of 2d using 2c’s AD, would 2d as an NS7 even be able to use the NS8 AD… I think not, because the NS8 samba cert will be its own and I will have to rebuild 2d … ffs. What a nightmare.

What are your thoughts please.

Hi @fasttech

My thoughts? You are good at understatement!

A lot of tripwires, and hazards on the route, but not undoable. Your luck: most are running as VMs.

A few facts first, before a migration recipe…

  • NS7 can use the AD in NS8 - without issues. (I’m thinking of 2d here). It does help if that NS7 has an entry in it’s DNS pointing to the AD. The AD actually needs 2 or more entries.
  • Nextcloud can have it’s external storage Samba Shares pointing to another Server (File Server), this is usually less issue prone than local storage. Also here, correct DNS is mandatory.
  • As a file Server, what cert the server uses doesn’t matter to AD. It can use the cert from NS8. It can easily also use a sefl generated ssl cert, as no https besides Dashboard / Cockpit is needed.

I think the above information will open a few doors for you, enough to do a working migration.
Make sure you have backups of all VMs / NethServers. 2d can be left until the end, to be migrated as last NS7. As this is just a file server, this one just needs it’s AD repointed to the new AD, and it will continue working. You can migrate / reinstall this 2d as suits best.

Is this somewhat comprehensible and according to your wishes / plans for your new setup?

I hope so, if OK, drop a message, and I’ll try to formulate a migration path for you.

Two small questions:

  • How many users / groups are there?
  • How many shares are there and what are their (rough) sizes?

I would like to add, in your specific case, this statement may not be valid:

It might actually work without issues, as the File-Server is on a different host.
NS7 allowed Account Provider as a separate install, with or without file server.
File server demanded an Account Provider…
A placeholder file-server could be created, with one single share (This can be even empty, to save time.).
The migrated, empty file server can be deleted on NS8 after migration.

Warning:

Using an AD enabled NAS to store VM Backups can backfire badly, as a friend of mine in IT found out:
He was using VMWare ESXi as Hypervisor, a Synology NAS as Backup Target. All worked well with all VMs.
Until the day he wanted to make a full backup of the not running VM (Yes, the NS7 / AD!!!)…

VMWare had no access to the NAS - even though it was using NFSv3 (No authentification besides IP) and not Samba / Windows Sharing.
No PC had access to the NAS, although any Samba does support “cached” authentification.
:frowning:

My 2 cents
Andy

My thoughts?

As far as I see, you’re familar with VM’s.

  1. freeze and isolate neth7. Let neth7 do the job’s you need as long as possible. On neth7 stop any service/app you don’t need. If you update anything, take a very close look before updating neth7.
  2. use opnsense as firewall. configure the fw carefully. let the fw do all certs. use haproxy. or nginx. if you need info how to move and prepare the certs (haproxy) for neth7, ask me. Or have a look in the opnsense forum.
  3. use mailcow for email

Following this, you’re pretty save keeping you’re production running. Nothing will happen you can’t handle. Keep calm and wait until another reliable fileserver/distro comes up, you trust.

To speek with Andy’s words: my 2c

it is possible that a cert is required for other purposes other than the file server (guacamole or another app using it, IIRC at least from NS7 but I could be mixing up things)

Hi @dnutan

As shown in the Image above, the file server (2d) is not a VM, but a hardware NS7 acting as File-Server / NAS.
No other use for that box, everything else are on NS7 VMs.
All NS7 besides the AD are “member servers” of the ADs Samba Domain.

That this box is already “isolated” makes things easier.

My 2 cents
Andy

Understood. Today didn’t took a look at the diagram, so just noise.

1 Like

I’d hoped I’d made it clear but NS 7.9 5 is ldap, it is not a member of 2c, only 2d is a member of 2c.

1 Like

Even better!

As I’m sure you understand now, 2c is dependent on 5 for traffic flow and 2d is dependent on 2c for auth.

I was actually kinda hemming and hawing as which to attempt a migration first 2c or 5.

I need to address the ngfw so I can free up hardware, I’ve lost 2 days to nsecurity already, I’m probably going to order the $129 gateway ultra and see if it’ll work, otherwise I’m going to migrate, by hand, the ngfw to the hardware I’m trying to setup nsecurity on. Then I’ll start migrating the NS7s once the hardware is freed up and I can repurpose the hardware as proxmox nodes.

I do.


I would suggest 2c first. 5 will continue working, so no worries. 2d needs to be adapted as stated (AD repointed with DNS to new AD).

I would backup the whole box first, then attempt a migation. Maybe create a local file-server with a single (empty) share, so migration (File-Server first, than AD) will not run into issues, as both are there.


I can very strongly advocate for this (Unifi Cloud Gateway Ultra). I’m using this for several clients already, and for my Home Lab. At Home I use the UDM-SE.

I can help with these boxes, as I know them well!

Despite having a UDM-SE, I still keep my hardware OPNsense, as it’s still a powerful box - and can offload VPNs, second DNS and more to the OPNsense from UDM-SE…


For Proxmox servers with less than 32 GB RAM, I would NOT suggest using ZFS (my fav), but the default XFS. Also rock solid, needs less RAM, has much less features, but is highly usable. XFS is also the default file system used in NS7.
For NS8, I’ld strongly suggest BtrFS, works well and allows even PBS file level restores.
Synology as an example is a major user of BtrFS, and even in ten year old Synologys, I’ve NEVER had file system issues, even with several “enlargements” of the RAID arraw no issues!


If you are using KVM on Ubuntu at the moment, you can basically save the VM and it’s config file, and reuse those in Proxmox…


I will be available for help on the Forum and Telegran, if you like (and PM me when!).

My 2 cents
Andy

2 Likes

You’ve encountered no issues with port forwarding on the UGUltra? Particularly 443?

Not at all!

Since Upgrades, UI can not only handle NAT, but also PAT, meaning it can listen externally to eg 2224 and forward that internally to 22, so internally 22 can be used for SSH, and externally 2224, no changes to the host.

See PM…

My 2 cents
Andy