IMVHO, @danb35 this could lead to something that maybe Nethesis don’t want: the lack of capability to connect to external SSO/IAM, which SSSD gave to NethServer.
Many people are using NethServer as “network core”, but not everyone want to change their current Informative System for connecting another server.
Moreover: sometimes having separated login processes (and no SSO) may help to let not access to some functions of the server people that are not supposed to.
I’m happy that word is still appealing 
By now, “cluster” in NS8 is all about sharing configuration and accounts among multiple nodes.
- The configuration is stored in the Redis DB: NS8 has a “leader” node and can have additional “worker” nodes. The administration UI changes the configuration DB. Agents running everywhere pick up the configuration and apply it. One module, one agent.
- Account providers design is still really experimental. We are evaluating this approach: no more SSSD, no more Unix user accounts: applications access LDAP directly. Each node has a LDAP replica running locally (if the account provider is local, of course). AD is natively multi-master and we have a working multi-DC configuration. OpenLDAP multi-master is possible and widely documented too (still we didn’t implement it).
Further clustering of modules/application instances is possible, but not planned by now: we are focusing on the core platform.
We are discussing how to deal with connectivity problems among nodes: having local replicas should ensure that services continue to work in any situation.
It is one main goal. Still to early to say how, but a possible approach is leveraging another feature we want to put in the NS8 platform: module/application migration from one node to another. Moving applications around is part of the daily sysadmin job: we want to ease it!
I’ve no direct experience, so don’t mind me. It is interesting but the additional complexity is a bit scary. I read in another thread that it can be important for Mattermost integration too: that’s a good point. I agree it would be nice to have it as alternative account provider configuration. Applications that support it could then bind to it and enjoy SSO.
Yes, NS8 still allows remote account provider to integrate existing systems.
Exactly! In NS8 the admin UI has a separate users+authentication DB.
7 Likes
Would really love a proper DNS (all types of entries, multi-zone etc.).
4 Likes
Well, luckily a DNS service is not required by the core services. To keep it as simple as possible we consider DNS as a service provided by someone else.
It would be nice to integrate with DNS providers to ease the services configuration.
This does not conflict with a DNS module running in NS8 itself, as a public service too. It would be nice to have.
To evaluate a development effort
- Does the module provide a configuration UI? Do we need to develop an UI for it?
- Do other modules need to integrate with the new module? Does it provide a (standard) API/protocol for that?
1 Like
As said, BIND is still the standard implementation of a DNS server, and has been the reference since day one.
I’ve myself intensively used BIND as a provider in the early 2000s, and it works very well, need no database or any critical stuff other than a “zone” folder, where zone configs are kept.
A simple example of a well working WebGUI for BIND is available for example in Jamie Camerons Webmin, a tool I’ve also used a lot.
I also installed BIND on NethServer’s predecessor SME-Server, and installed Webmin there just to administrate BIND.
BIND can handle every specific requirement of a DNS Server - it still is the reference implementation!
Manual file handling takes a lot of know how, and precise implementation, the syntax of the zone files are critical!
To make things more impressive, on could think of the global DNS as a sort of global database. But this database has millions of Admins, and most of them NEVER communicate with one another…
Yet it still works very fast!
I can provide tips, knowhow and experience to handling template files for BIND.
My 2 cents
Andy
3 Likes
On the contrary, that’s directly in the scope of the IAM solution–it can set access rules for each application, such that only the appropriate users have access to any given application.
I think my interest was more along the lines of a redundant cluster, something like hotsync on steroids–or maybe even an arrangement where two systems would be “live” replicas and could load-balance. Sounds like that may be down the road, if at all.
I agree it adds a layer of complexity, and it isn’t a trivial one. OTOH, it’s a significant boost to security (applications can’t leak credentials, as they never have them) and application capabilities (want YubiKey support in Roundcube? No problem!). And I believe it can also act as an LDAP proxy, though I haven’t really looked into that so far.
For this to be as useful as possible, we’d want to have as many of our applications as possible “speak” some sort of SSO protocol, and the real question for me is whatever is going to become the new server manager/admin GUI. Understanding it’s early, what’s the intent with that? Write something custom, a la Nethgui? Adapt an existing project (like Cockpit)? If the latter, which (if any) candidates are being considered?
That would be a good alternative, though you’re then limited to DNS providers with APIs–though Cloudflare continues to be an excellent option in that regard. I’d posted this request the other day:
It was motivated by the way CyberPanel and Mail-in-a-Box handle DNS–they both expect to be configured as the authoritative DNS servers for their domain, and they then automatically create the required records. In the case of MiaB, that’s over 50 records for a single domain (I posted the list in the topic linked above). There’s no way we’d trust an admin to get all these right, but if we’re serving them ourselves, no problem. I hadn’t considered integration with an outside DNS host, but that could accomplish much the same thing.
2 Likes
Unless I’m mistaken, Debian 11 doesn’t exist yet–certainly Debian doesn’t seem to think so:
https://www.debian.org/releases/testing/releasenotes
Funny how Proxmox are using a non-existent release as the basis for their latest release (which definitely does exist)…
Not mistaken. It it supposed to be officially released in mid August (although there’s a testing version).
Funny how Proxmox is ahead but explained why (at least bullseye repos seem to be prepared):
Q: Why is Proxmox VE 7.0 released ahead of the stable Debian 11 release?
A: The Debian project team postponed their plans for the May release mainly due to an unresolved issue in the Debian installer. Since we maintain our own Proxmox installer, we are not affected by this particular issue, therefore we have decided to release earlier. The core packages of Proxmox VE are either maintained by the Proxmox team or are already subject to the very strict Debian freeze policy for essential packages.
(Excuses for being a bit off-topic)
3 Likes
I am not a developer, just an end user who has been using e-smith/mitel/smeserver software for over 17 years. I am just now upgrading from Koozali SME Server to Nethserver. I would like to offer these thoughts:
- I 100% agree that the priority is:
So nothing should be cloud based unless that “cloud server” is your own box that you control 100%.
-
As much as I have loved CentOS over the years, I am very concerned about the new direction it is taking and am not convinced it is a reliable base for future development use. I have always preferred CentOS servers and Debian/ubuntu desktops. Now I am worried about the long term prospects of CentOS severs. Perhaps it is time to consider a more reliable base distro.
-
I recognize there is tremendous value world wide to have an all in one solution “firewall/router/vpn server/file server/web server/mail/PBX server etc.”. Almost any 10 yr old hardware can handle that, and that may be all that is affordable for many struggling start up small business or developing world needs. But as the complexity and added functionality to nethserver grows, the vulnerability of that all in solution grows.
I myself have never used it as a firewall/router/VPN server. I have always used OpenBSD/FreeBSD monowall/Pfsense firewalls to face the internet and SME Server to be file, web, and mail servers. I think all PBX asterix servers need to be behind a physical firewall. Small low energy and low cost appliances or old used computers excel at that firewall need. I used a 14 year old 1.6Ghz core 2 duo computer with 2 gigs of ram and 2 nics as my firewall/VPN server at home to handle 100Gb internet and a permanent site to site OPNvpn connection to my office and it did fine for years. I upgraded to a used 2 Ghz 4 core amd A6-5200 and it now maximizes 150Gb throughput and handles all the encryption needs.
Perhaps it is time to consider splitting the system into separate firewall and server modules. They can be combined if all you have is one box, but are ideally separate for more security - but configured to be mutually compatible and configurable. Again I’m just speaking as a long term user who just knows enough to be dangerous in his wish list - not as a developer who knows how to do it.
SMEserver/Nethserver has always been modular in the sense that it allowed you to be local server only, or internet server and local server. But it always presupposed it was the firewall and internet server in one box. Perhaps its time to rethink that presupposition.
1 Like
Hi Paul
I don’t know what the next NethServer will entail. ATM, if I have the info right, it’s being developed on Fedora, but Debian 11 is a working candidate to run the “Alpha”, if it can be called that. It will be more or less platform agnostic. I trust our Devs here to make a good job out of NethServer 8, and a working migration path…
As to the firewall / server combination: Even MS dropped that from SBS, now even SBS has been dropped.
The BIG disadvantage of an all in one box including firewall: If something Not-Firewall related screws up your server, you won’t have Internet to diagnose / solve that maybe minor issue… 
My 2 cents
Andy
4 Likes
I would hope at this point with Rocky Linux being released, and a with a CentOS conversion script in the works that NethServer 8 will be available on Rocky as a quick and easy update! Hopefully that becomes a reality as I personally prefer the RHEL based arch, but I can’t speak for anyone else.
Hi
As mentionned by the devs above, it certainly won’t be a RHEL8 clone…
Earliest will be a RHEL9 - or another distro… It may be even distro agnostic…
Prefer Fedora - easy.
Prefer RHEL clone same.
Debian anyone? sure!
Even if distro agnostic - it won’t run on Windows! 
(Not without virtualization)
At the moment, AFAIK, development is done on Fedora.
It won’t be an upgrade, it will probably entail a backup / restore…
My 2 cents
Andy
It depends:
There is a big advantage of having all in one box: Simplicity of management and maintenance and a single hardware box without additional virtualization. So the possibility to have all in one box is very helpful.
With NS having these capabilities, it possible to have two more Nethservers, to separate firewall and other applications. I have a NS with (onlymost) only firewall and other services on a other Nethservers and use the reverse proxy to forward request to the specific servers.
In another application I use it all in one, because no seperate hardware, no virtualization.
And in still another application I use only the firewall and openvpn part, as NS is also a very good firewall distribution…
Hi
I see an all-in-one box as a BIG disadvantage…
A bit like Monocultures in farming.
If there’s a serious “system” problem, you’re down, maybe even ALL boxes…
And no Internet except for mobile hotspot…
And, instead of reducing hardware, I’d need to MASSIVELY increase hardware, maintenence and more! Most of my clients have / need next to NethServer more Windows & Linux Servers. I’d need to waste money / time for Windows backups / disaster recovery. No way!
Add on top of it “natively” installed Servers directly on Hardware. That’s like going back in time - and being stupid again. No, I will NOT install a productive server natively!
No snapshotting, fiddling around with restore for disaster recoveery, driver crap, hardware migration problems, etc.
If it works for you, fine. One size does NOT fit all!
If I were to implement a single box (say for small clients), I’d probably lose all my clients, and a short while later, they would all be running Windows! And a seperate firewall box, probably commercial. A great service for OpenSource!
My 2 cents
Andy
1 Like
The discussion is about what NS should offer. Currently it offers all from having all in one on one single hardware installation to splitting everything up into lots of subservers and this could be hosted on a virtualization platform. I strongly like this flexibility that NS should keep this and not forcing users to have more than one real or virtualized server.
With this all on one solution I can also have several virtualized customer server on a single virtualizeation platform. One customer - one server, which is much easier than having multiple server for a single customer.
I also use almost everything virtualized, but as I learnd you also use hardware for the firewall (but not NS). So a NS hardware box with only firewall (any maybe very few other packages) would be an application for NS on pure hardware.
As said it depends on the project and customer, and NS has the BIG advantage of giving the choice from simple all in one to more complex multi server configurations.
1 Like
Hi Carsten!
Make no mistake, I fully agree with this statement:
Sorry, but NethServer is NOT a viable virtualisation host in my opinion.
There are hardly ANY integrated tools like Backup or whatever.
It does work, but in my Opinion NOT really usable. Proxmox is sooooo much stronger than this.
As a firewall, the DNS isn’t usable in NethServer, the DHCP has plenty of limits and “gotchas”.
No possibility to set up CNAMES, MX, PTR or a lot of other options.
The DHCP allows for one scope, finished. No option for a per host/client differing setup, if needed.
I love NethServer, but I do like using a “best of breed” strategy in my Networks.
And at the moment, Proxmox is for me by FAR the best Hypervisor. (And no, I will NOT run file server stuff like NFS / SMB on Proxmox!). Live backups of almost any OS including Windows, File / Folder restore for Windows and Linux, Incremental Backups of VMs, full HA Cluster, possibility for hardware independence, and much, much more. All stuff NethServer doesn’t have.
OPNsense is my choice of best of breed OpenSource firewall, and handles for me the perimeter firewall and network. It has all the options I need, and far more. Wireguard? No problem, even with GUI. NethServer doesn’t have that option. I can install Wireguard on NethServer, but that’s not officially supported on NethServer, there isn’t even a GUI for that. Full internet provider failover AND hardware HA with CARP is something NethServer doesn’t yet offer, but is something I use at more than one client!
Disaster recovery on Neth is NOT as smooth as for example in OPNsense. There, even on different hardware, I ONLY need to allocate the NICs, nothing else. A single config file (No data!) is all that’s needed. NethServer needs both for a successfull restore to different hardware. And even then, it’s not always smooth, and the more NICs, the less smooth.
NethServer is for me the best All-in-one, but without firewall. I will confirm that NethServer’s firewall work very well, including OpenVPN, but for me and my clients, a firewall box is needed. And one WITHOUT any AD or even the possibility to install AD!
However, I do agree that NethServer should have all options as now, but firewall is NOT critical for me. Nor will I ever use virtualization in NethServer.
How do you achieve DNS with NethServer, if you need eg. CNAMES? I used to create more A records instead of CNAMES, but stopped that when I saw that NethServer will hand out PTRs randomly: Any of the A records will become the PTR, but usually NEVER the one you want or need!
I could install BIND on NethServer, but I’d have no GUI available… 
Webmin would work with BIND and provide me with a GUI, but I could just as well use OpenBSD (Or anything else) and Webmin…
DHCP is less critical for me, but I still find it quite limited!
My 2 cents
Andy
PS:
I do have a PCengines spare box, and a spare 1-2 SSDs for that, so I’m also playing around with a minimalised NethServer on a APU4D4 box.
I also am playing around with Raspberry, PImox (Proxmox on a RPI 8 GB) and including NethServer (and OPNsense!) as ARM versions.
It’s always good to keep looking over the fence, and see what’s interesting and upcoming!
An APU4D4 box with WLan, and several SSDs (for playing around with different systems)…
3 Likes
I agree with @carsten here, of course @Andy_Wismer is right, more servers for different services are better, but some customers, for example non-profit associations, don’t have enough money to by expensive hardware. They use a cheap workstation as server, there you don’t have any chance to run more then one server.
I also use Proxmox as virtualization. You misunderstood me: I was talking about having several NS hosted in a virtualization platform like promox not about NS as a virtualization platform.
Hi Michael
If specific servers are needed, there’s not much choice, a lot of companies use eg Windows based ERP systems, but there is also a lot of specialised stuff out there. All this stuff can run virtualized…
And for a virtualisation hardware, there are a lot of cheaper options than a full blown HP or Dell server.
I do have a non profit organization (Animal / Dog care), they’re using a HP Microserver Gen10 with Proxmox…
And at the moment, I’m looking at this board, with very good performance as Proxmox:
https://www.mini-itx.com/~C3758D4I-4L
I installed Proxmox for one of our members here with Anydesk on the smaller brother of this board, and was quite impressed! The system had 4 seperate zfs mirrors… 4 NICs, 32 GB RAM, Quad Core CPU with total 4 threads.
My 2 cents
Andy
1 Like
Hi Carsten!
Not quite, I did understand what you were saying, but I also wanted to point out where I think NethServer is lacking, in some places quite severly!
- DNS
- DHCP
- Virtualization
- Firewall
This due to the reasons stated above.
And to be honest, I actually like the DNS / DHCP implementation in NethServer, but I really need correctly working CNAMES and PTRs, among other things!
My 2 cents
Andy
1 Like