Ok, well… This will sound like whinging, and yes, in part this is just me venting. I hope though that it’s also useful feedback for the project, and that it’s useful to other people coming in from SME Server.
Some of these may be caused by Centos7. Some may also be present in SME 10 (alpha) which I’ve never used. I’m comparing with SME 9.2 which is end-of-life.
I didn’t run every problem right to ground, so a lot of this might have just been me doing it wrong, but if it happened to me then it’s possible that it happened to someone else, and maybe some keywords here will help other converts figure stuff out.
I’ve been using SME since version four – so what’s that, over twenty years i think maybe? Close to… anyway, so moving away from it is slightly… emotional maybe? Anyway, I built the backbone of my linux footprint with SME, so it’s “a thing” for me.
I know this is a CentOS thing but anyway… If your disks are over 2TB, you will need a magic partition; biosboot if the system boots legacy style, efi partition if the system boots uefi. SME couldn’t cope with this either, I got around it by using less of the disk, and keeping the total size under 2TB. I don’t think this really belongs here but I’m documenting my experience, and this was part of it.
So the CentOS installer really struggles to set this up properly without help, at least mine did; and at the end you have one drive that can boot the system, and then a different one which has a copy of all the paritions except the magic one. This means if the primary drive fails, you system cannot boot without some serious help.
With sub-2TB drives, or manual work to duplicate this magic partition to both drives and then leave it alone, you can pull one drive, drop it into identical hardware and bootup two identical servers; or at the very least, be able to reboot after drive failure.
The rsync backup is really good – but I really want you to let me give you a mount point to backup to. That way I can set my backups over fuse-ssh or filesystem-over-gmail or whatever… my preference is /dev/sdc formatted directly ( ie no partition table) but nethserver won’t let me. Not a massive problem, but a bit annoying, especially as the backup routine wants to mount and unmount the filesystem, so I can’t easily use the same volume for backing up other non-neth nodes remotely.
However, not having it all in tar files is handy and the other modern options are cool so overall I think backups are improved over SME.
Under SME I can have a server called example.com and a bunch of other domains configured too. If I make a user, I’m pretty sure that the user gets an email address under each domain by default. With neth, I need to create the extra email addresses. Also neth doesn’t have ‘domains’, we just put them in as aliases under the hostname setting, as far as I can tell. No real dramas.
Oh my god!! Well, you can’t create a user outside the context of the LDAP or MS/Windows directory service. I didn’t mess with the LDAP stuff, but the windows service, behind the scenes, adds a virtual machine and requires a bonded network card (eg br0).
It doesn’t say anything about the network changes or the VM in the GUI. I hope it doesn’t become standard practice to create a new VM and IP address for every service in CentOS, this could get very complex very fast!
If the admin removes that bonded NIC, no errors are offered and it goes away, but nsdc will never start, throws file permission errors(!?) in the log, and all the user accounts vanish! If you try and fix this by removing and re-adding the accounts provider, it can be made to work, but a reboot makes it go away again This continues until you deliberately recreate br0 or reinstall nethserver.
It’s terrifying. Don’t mess with br0. This also means that you can no longer see the proper name of the physical LAN card in the manager, much less make any changes to it…
So now my server has samba right? No! locate smbclient shows /var/lib/machines/nsdc/usr/bin/smbclient but because it’s from a VM the dependencies aren’t there and you can’t load .so files. yum install samba-client gets smbclient installed if you need it.
So if you stop the nsdc service from the CLI, nothing restarts it by force like SME likes to, and the GUI will tell you it’s stopped, but won’t give you a way to start it.
So you can’t manage users in /etc/passwd, they just aren’t there. Neth maintains special user login files for postfix, but ssh ( I think ) uses the LDAP providing VM. I could be wrong there.
I know a hell of a lot less about Linux than the nethserver development mob, so I’m sure there are good reasons for all of this, but not being able to control users in /etc/passwd and /etc/shadow means that I need to make a bunch of changes. When I ssh in as a user, I can’t even read my homedir…
So maybe there are good reasons for avoiding the traditional /etc/passwd, but whatever that reason is, it’s very annoying (to me).
ibays & vhosts
Used to be if you make an ibay you get a website/page, samba share, ftp & username.
So on SME, for example, I had an ibay ‘business’
\server\business has all my office docs.
http://server/business has the php app for invoicing.
If I need to share with someone else I can give them username business, password asdliuasd and they can access the resources of that ibay, but don’t get an email account or any other server access. Also doesn’t link to an individual, which is better where staff turnover might be high (but here it’s only me).
Can I do this with nethserver?
No. The basic concept of an ibay – a data ‘zone’ wherin you could turn on or off different access methods, is gone.
Now you need to make a user if you want one, make a windows share and configure permissions for that user, and make a new host[name]/vhost if you want one.
So you can’t have http://server/business, you need to have business.server.com, which is fine I guess, but the folder on disk that holds the data is called alek3bqgk57834581u3, and the user is also called alek3bqgk57834581u3, and you can’t change these. So that’s a bit messy.
Also, it’s not fine. It means that for SSL to work properly I need to use a wildcard cert, or have an entry in my cert and update it for each and every vhost! A pain either way, especially as the certificates system in the GUI won’t accept an asterisk in the input, so then I’m off on the CLI to sort that out. A wildcard seems to work better for http verification unless you also have wildcard DNS so that LE can find your neth server.
All that worked well, but the 15 seconds DNS delay is hard-coded in the script where it could be a config property, and it wouldn’t be necessary if the GUI supported server.com/appname.
Conceptually, I am very comfortable with the idea of having lots of apps on one server using different url /suffixes to choose the app. SME would let you add a hostname/alias/domain and redirect the root of that to an ibay anyway, thus allowing either app.example.com or example.com/app. Neth server only supports app.example.com, so that’s what you have to use.
Oh yeah, and if you want FTP on your ibay? Well you can use sftp to access user accounts, configured in one place, or reach a vhost via the alek3bqgk57834581u3 in the vhosts config, or just create new ftp-only users that only exist for FTP and nothing else, but there’s no ibay so the business processes can be split over a range of accounts and services.
The server does not act as a gateway between the LAN and the WAN unless you install the firewall application. Then it’s fine, but will go offline for a short time if you try to configure windows account services (the creation of br0 messes with the network for a little bit). I still need to setup PPTP or OpenVPN.
SME has a bunch of these curated add-on modules, listed at https://wiki.contribs.org/Category:Contrib
They have about three times as many for SME as there are apps for Neth. Of course, a lot of these are of limited use (eg motd), but then, a lot of the neth ones are standard in SME by design (eg restore backups, IPSec). I suspect (hope?) that there are many neth server apps that I haven’t configured my server for yet, like rtorrent maybe or zabbix, dansguardian, zoneminder, local bitwarden… whatever. Cool stuff like this.
I feel like I’m just getting the official feed and there’s an optional apps feed, but I haven’t looked yet.
Anyway, that’s my ramble. I am really grateful that the devs have put so much work into this, it is cool and I think it will work well as a replacement, but I really miss the old iBay arrangements…
Thanks for reading, any who bothered.