NethServer 8: planning an evolution

During the last month, Nethesis had some meetings to plan the future of NethServer.

We would like to share our thoughts and get your feedback.

CentOS 8 is out for a year and it can be considered stable, but is it mature enough for our purposes?

We did some experiments and we found that:

• it’s a cloud-oriented distribution focused on containers
• many things we use in NethServer 7 are missing (notably SCL)
• it’s not a good distribution for an UTM firewall: nftables is the new default with limited firewalld support, also there is no shorewall or equivalent software

Network security will probably change very fast in the near future: is an UTM firewall still useful when all workers are remote? If nobody is at the office, does it make sense to have a firewall that filters internet traffic and protects just a few hosts?

The next-generation firewall will probably focus on zero-trust networks, VPNs and WAF.

And none of these applications can easily be built on top of CentOS 8.

We believe NethServer should focus on two main points:

• privacy: you own your data and you can store them anywhere you want
• simplicity: the configuration should be easy for administrators with little or no experience

Until now, we always followed CentOS schedule: when a new major version was out, we ported NethServer to it.

So, is it really worth porting NethServer 7 to CentOS 8? Mmh, not really.

When we switched from 6 to 7, we had new technologies that helped us to improve the product, like systemd and containers for Samba 4. CentOS doesn’t bring in any appealing technology.

If we remove the firewall part, what will NethServer be then? Will NethServer be just a platform for running containers?

Nowadays many NAS can run many more applications than NethServer.

Having a platform that just runs containers is not enough: applications should be configured, secured inside a backup and upgraded smoothly.

One of the most requested features from our customers is the ability to manage multiple NethServer installations from one place. This sounds much like an orchestrator, so we even dove a bit into things like Kubernetes and Nomad.

And of course, this is the right moment to make radical changes and embrace new technologies, like:

• replacing the esmith database with something more modern and cluster-aware (etcd, consul, redis)
• replacing perl templates with … ansible jinja? or no templates at all?

The IT world is running fast toward an ecosystem of distributed microservices: users and administrators just want access to services, no matter how they are handled under the hood.

These are our still open questions:

• does it still make sense to develop a distribution?
• is the all-in-one server still a valid solution?
• is it time to start the development of NethServer 8?
• should the NethServer 8 be just a solid base to run or orchestrate multiple services?
• what will be the base for the UTM firewall, if any?

NethServer 7 will be EOL in more than 4 years, so we have plenty of time to make a great NethServer 8 together!

Is Debian Buster too far to take the leap?
The switch to “container approach” for applications reduce the footprint for the single server, therefore it looks like more an Hypervisor than a server, when the “real servers” should be the containers, not the applications.

NethServer try to integrate a multi-role server, with more software ad services going to cooperate and rely on the system (SSSD for authentication, network for connection, Firewal-virtualhost for managing comunication, reverse proxy as a protection).
If the “future” delivered by CentOS 8 is being a container ship… Is because RedHat is asked to be more like a Container ship rather then a server?

I am picking just 1 of your points and I must strongly disagree with your logic.
If most of the personnel is working remote, they most likely VPN in and use the office connection as gateway to the internet. That directly justifies the need for a very strong Firewall/Gateway. Besides that, if you run anything like data and account services on your local network, you don’t want anyone else but those you grant access to be able to snoop around.

I do see we have a challenge…

Yes… and no.
If the application for your job is insecure by design, security by separation is the way to defend, and the VPN service with IPS and UTM seems a necessory for the premise/site which hosts the application(s).

But what about the use of a platform/application built to be public accessed? I’m trying to make adopt Mattermost to one of my customer for helping connecting some of the sites (currently phone and email are far more used), this could be a quite turning point to help people communicate and somehow reduce/change the email usage.

Mattermost could be installed on a spare computer, for the testing phase, but… what about not having it on premises? Only providing that on a VPS/hosting?

Pros

• no hardware would be involved as single point of failure (host, switches, firewall, routers)
• site connectivity would not be more critic for other sites
• isp dependency should not be more a problem, even without specific necessories like public static IP address
• backup could take only few seconds or minutes, most depending on service subscribed
• no investment needed in case of adopting or longer/stronger testing
• lower budget for test, evaluate,

Cons

• less control of the application and the system hosting that
• less connection capabilities to other systems (like LDAP/AD)
• continue cost as the VPS/hosting, which is higher sometimes than power and a cheap maintenance service for the hardware
• slower speed. Not having an in-band (WAN) and out-band (LAN) connection, uploading and downloading data could impact a lot on the perceived performance. Of course someone into community has 1gbs ISP service to deal with, but it’s not the “normal” ISP service.

In a world of multiple services/software provided only “on cloud”, you may even not need any kind of hardware on premises, even maybe for backup (i strongly suggest not use a “Cloud only” backup policy without encryption and multiple services).
So IPS and VPN is less and less needed…

I hope so.

Again, I hope so.

I recognize my use case is atypical, but I started using e-smith (version 3.something, I think) as my home server around 20 years ago. Its core feature set then is still what I use it for today–provide web/mail/file/firewall services on a LAN to a small organization. OK, at the time, the “small organization” consisted of one person. I wrote the early versions of the e-smith-horde and e-smith-imp packages, and for a long time my name was still in the changelogs of the official packages. A lot has changed since then, and I’m using it a bit differently–my main Neth server is on a VPS on another continent, I’m using FreeNAS as my file server, and I’m using pfSense for my firewall. I’ve added user accounts for members of my immediate and extended family.

But despite all the changes, I still need a web/mail server that’s secure enough to be on the public Internet, and easy enough for a non-IT pro like me to administer. And I need that because I don’t trust Google with all my data–otherwise I’m sure it’d be much simpler (and probably cheaper) to just go to GSuite. I know it’s popular today to just put everything “in the cloud”–apparently having control over your own data just isn’t that important to a lot of folks. I believe that’s a mistake, even though it’s become easy and cheap to do, and I think it’s important to have a distro (or better yet, a few) to make it fairly easy to self-host for folks who want to do so.

I still must be a bit irritating to Dev Team (sorry @giacomo you started the thread).
If a distro which provides services like NethServer do not provide IPv6 full support it will knock itself out of opportunities to be chosen.
Not for 8/Future/Next (NG was already used! ) but today
How many Hosting services are providing IPv4 as payed option?

Even though I don’t have a need for IPv6, I’d have to agree here.

Hi folks, what if we start a survey and ask the Nethserver-admins what functionallity they use and miss?

I hope yes it still makes sense, the market seems not saturated if we look after a server with a server-manager. Univention, clearOS, SME Server.

For SME I would say yes…Protect the network, run email, web, applications. When you play in the ground of big company with a lot of sysadmin, of course ansible, one server/container per task in the cloud is the way. But NS must be compatible in the cloud and in the real hardware/virtualisation.

I worry for the technical debt, release when it is ready and you see your users go away. So yes a move to another upstream or follow Centos.

Obviously you make me really interested, I look after container after years of doubt and fear and now I saw the opportunity that we have. If you speak of the lack of SCl, probably it is the cause, we could run any version of a software in a container.
Nevertheless I try the container way because we have reached the limit of software version of Centos7, indeed even with 4 years of EOL, as a POV of developer it began difficult to install modern applications

Really important yes, a centralised node for any remote users, protect the network.

I think you missed another point, about financial, how to bring more money to the development of NethServer 8, actually all is supported by nethesis and not by the NethServer community. I never read about Proxmox and their doubt about follow the next Debian version, maybe because the community and the professionals pay the development.

I do not have ns7 running for now - only test vm.
I periodically checking whats new.
Yes, all in one server - I dislike docker and others
My small word:
Tls v13 missing very much
Http/2…3
Redis

I think, ns need new base os for new technology.
Is it transferring to the Debian buster possible?

Is 1.3 that important? TLS 1.2 is still there, and is still considered secure (even by PCI’s standards).

Redis is there. It may not be part of the base distribution, but it’s there at least if you install Nextcloud.

A new version each two years, with a lot of breaking changes, it is a kind of challenges, even if I like this distro

Just my input but this is why I started purchasing subscriptions for my business deployments were these two points & added security. I have almost entirely replaced all of my existing Zentyal deployments because of things like @stephdl fail2ban, 2fa and soon to be threat shield. I cannot emphasize enough how much of an attractive item these additions are that can be consistently deployed & monitored at the GUI level and is something I would pay for.

I tend to use the following strategy:

1. using a long terrn stable Linux Distribution.
2. Focus on Infrastructure and Application services
3. no Virtualization, (if any body need it, should use Proxmox)
4. increase the software center as an scalable “App”-Store for more add-on-Applikation Services
5. common network technology : IPv6, NG-Firewalling, …
6. easy administration with native Linux skills; w/o Perl, Python or other developer skills

best regards, Marko

No, in my opinion.

Containers are the wheels of the hybrid-cloud last generation technology that is around since a decade.

In the '70 the operating systems changed the world of the IT introducing the concept of (hardware) abstraction and multi-tasking. Increasing processing power was the driving force of the “all-in-one” (server) approach.

Today workload orchestration provided by things like Kubernetes and Nomad are the new face of the process scheduler that is inside the traditional operating systems. And the Internet is the driving force that shifts the focus from the single server processing power to the fast-scaling and distributed computing platform known as “the cloud”.

Problems and limitations always exist:

• Digital divide: slow CPU yesterday, slow Internet connection today.
• Privacy and data security, another big concern!

To address them the hybrid-cloud splits the problem in public/private infrastructure and on/off-premise.

I think we have to take the leap. Learn, design and implement something based on today’s technology to shape the business like we want. This is what the FOSS communities always did!

I’d like an hybrid-cloud platform that with some limitations can run even on a single server (!) but can leverage service cloning, scaling, atomic upgrades and fault tolerance out of the box.

I’m afraid that if we don’t provide a cheap-enough platform for our services by ourselves, we’ll buy it from someone else at their price.

The hybrid-cloud approach shifts the focus from the OS/distro level to the services orchestration. First and foremost we have to plan the service lifecycle (install, configure, update, upgrade). As the distro becomes less important in general, we can pick an alternative distro to build a better firewall.

In the end (I’m a devvelopper) I’d change our project technology to preserve our project goals

i think NEthserver 8 will be one of the most massive upgrades yet we have to undertake.

Considering the amount of the changes than needs to be parked.

I would also love something like this.

In my point of view, that is not an orchestartor.
Mainly what we need t o have is, All Nethserver instances are installed manually on each machine. but we can have a Nethserver instance that allows to view specs of the other servers, see issues, run ssh command all from one window.

Thank you for the good outline and summary @giacomo.

You certainly have a very good challenge on your hands with this and you’re definitely asking a could of good questions there and I can’t fault them

I think NethServer 8 should be some form of solid base in which it can run or orchestrate multiple services in a distributed environment of some sort or fashion. Not exactly sure as to what form that would take as yet and that is really open for discussion.

Is the All-In-One solution still valid? Well yes and no. As IT services and requirements mature, individuals and companies are slowly moving to a more distributed design. However I do recognise that certain organisations may have to look at an All-In-One solution from a financial perspective as they may not be able to afford to have multiple servers, so this would be more of an edge-case as opposed to the norm.

I can give you a case scenario for us.
We are using NEthserver for a large nmber of our operations.
BEcause there are many tools we have deployes, each with their own measure of security needs, and access rules. we do not have a single Nethserver installation that does it all.

We however have separate multiple Nethserver installations, each with separate different software ssytem. this is because some tools tend to break the server, and it would be catastorphic to have the mother server for the company go down

Thanks for that @oneitonitram, its really helpful to know that scenario.

I suppose a useful feature for NethServer 8 would be a way to manage each of those installations with each of their separate requirements centrally somehow.

15 years ago I had no problem running around to each server managing each one seperately. Nowadays I recognise that not all of them are in the same building or location and I am seeing the wisdom on being a lazy little sod when it comes to certain tasks