Well… sincerely i won’t use NethServer for containers. It’s not its purpose. End of the OT.
1 Like
IMO that is not off topic. This topic is a discussion on what we want or need from a Server distribution that aims at SOHO, Small and Medium Enterprises, and (yes I am biased) schools.
And we need as much input from as many as people as possible.
So please elaborate. I can imagine containers are used 1 layer up, or on the same layer as NethServer, when using proxmox, and let proxmox manage the containers. Or on even larger scale where a tool like K8s or docker-swarm kick in.
We might have a reasonable clear view on where NethServer at this moment fits in for which usecases, but we also can’t close our eyes from the immensely fast developments.
I think the discussion should be about where NethServer fits in the (near) future. Is that still an ‘on-premesis server’ that can deal with most services? Are (part of) the services moving to datacenters (hate to call it ‘cloud’)?
I don’t see companies leave their offices any time soon, although remote work is taking a huge leap now due to Covid-19. And until there are still people working in a certain location, there will be a need for services close by, preferably as close as in the same building to avoid lag and bandwidth problems.
In rural regions, where a stable internet connection is not guaranteed or even obvious, a server that can provide all services without depending on a fast and stable internet connection is a huge plus.
IMO NethServer has a role in exactly that scenario.
So, please shoot and add your opinions. Let us discuss this (IMO) very important topic about the future of this project.
5 Likes
I joined this community as it appeared that nethserver fits best, when I was evaluating which distribution would fit best to replace our old systems in our small company, and I am very happy with my choice.
What I would love to see in the main repo is some integration of a webconference solution for more than 4 concurrent participants, be it a stable package for jisti-meet or a high performance backend powered talk app inside nextcloud.
2 Likes
@Elleni you call, we deliver… well, almost. We are VERY busy getting Matrix-synapse with several bridges available on NethServer. Currently Element is already available and we are busy getting Jitsi-meet bridged with Matrix-synapse.
I am currently installing a complete conferencing set on a NethServer VPS so we can use it for our annual community meeting during Fosdem, first weekend of februari 2021. The event is taking place online this year due to Covid. More to follow on this in a separate topic.
But please stay on topic in this thread. It is important we chime in all and just say what we think is best for NethServer or for our own needs, what is more or less the same because NethServer is not helped when people abandon the project because it doesn’t fit their needs anymore.
6 Likes
Hi Rob,
Very interesting. That should be great for giving a course on NS, isn’t it ?
Michel-André
I’ll try: i simply won’t use a spoon to open a can.
If a Hypervisor is needed, i will use it. If a container approach is needed, i will use it.
Currently, NethServer is neither both of that. And i think is quite useless and out of focus put above NethServer the whole stack of containers or hypervisor, only to have “only one server”.
It were proposed a module for managing KVM virtualization above NethServer, but AFAIK is not available any more, even if KVM is already available as support on CentOS.
NethServer can do a lot of things, currently “one man band” installation for a office or a small company, but the real “core” of nethserver is the template management.
All the functionalities are coming from well known packages of linux (postfix, samba, dovecot, sieve, squid, dhcpd, dnsmasq, shorewall), free version of projects/products (nTOP, NextCloud, Mattermost) and a stack of tools for using other products (FreePBX for accessing and managing asterisk).
Don’t get me wrong, it’s a hell of job to keep pieces together, but when a piece will fall (shorewall) unless a new and… sufficiently easy piece to integrate will be considered, the feature will fall, expecially if there will be not updates or support from the customers.
Customers wants solutions; well, containers or hypervisor on top if NethServer IMVHO is calling for problems, not solutions.
NethServer 8 will substitute modules with containers? As already stated before, some modules are perfect for becaming containers (webtop, unifi management , MatterMost, even Asterisk), some others not.
And also: who’s willing to have a server without IPv6 management and support, as next generation?
No. CentOS is already supporting it not an answer, CentOS supports IPv6 at least since 6.x (don’t know even if 5.x had it). I mean… IPv6 was available in Windows XP buddies. The demonified and use like a scarecrow from most of sensed users of this community.
4 Likes
Thank you @pike for your insights. This is very valuable information that we should weigh in in how the project is going on.
I agree with you that having NethServer as KVM host is not a logical one. However, I am not convinced that it couldn’t be a host for containers. If you consider that containers are to offer services, not OS’s (VM’s). Isn’t this the current usecase for NethServer? Offering services in an easy to manage interface? The services will still be coming from well known packages of linux like you mentioned.
Many members of our community (including me) went for a virtualization layer under a NethServer install. Because it eases the admin tasks even more by the availability of taking snapshots and easily spinning up a fresh instance of NethServer by using a template.
Using containers for services instead of installing them directly on NethServer isn’t that the next step in easing up the sysadmin tasks?
I don’t want to persuade you to go along with this way of thinking. I am not sure if I am completely happy with this way of thinking myself, but we are still brainstorming and getting our options.
I’d love to hear more and different ideas and options.
3 Likes
I do want to come back to this point by @giacomo in the opening post. I don’t understand why this is said, because there is a shorewall package in epel. Did I miss something substantial?
https://centos.pkgs.org/8/epel-x86_64/shorewall-5.2.2-4.el8.noarch.rpm.html
Personally, I’m not a big fan of the Docker way of doing things, though part of that may be my ignorance of how to use it to my advantage (this is a fight^W discussion I’ve gotten into a number of times on the FreeNAS forums too, FWIW). But it isn’t clear to me that it would necessarily result in a major change to the way Neth works from an end-user (or perhaps end-admin) perspective.
From my perspective as an admin, what makes Neth attractive is that it provides a number of useful LAN and WAN services, it provides a reasonably secure configuration out of the box, and it’s easy to administer. And it uses the e-smith template system for configuration, meaning migration from my SME server was pretty much painless. I wasn’t especially concerned about what technology was being used under the hood.
I’d expect that a largely Docker-based system could work pretty similarly from the perspective of the normal admin–there would still be a server manager GUI, it would still run a configuration database, and the relevant application configuration settings would be driven from that database. Right? I’d expect this to make a lot of work for the devs (which may be a good enough reason not to go this direction), but it seems like it could be relatively transparent from a user/admin perspective.
What would be important, I think, is that the Neth system be more than just RancherOS/Portainer/some other GUI Docker manager–there are lots of those out there. The relatively-unified server manager (old school, Cockpit, or something else) is essential, IMO.
2 Likes
Hi Robb
I’d fully agree with this, but I’d also like to note:
At the moment, I can increase the services on NethServer as much as I like, besides the AD component, which needs an IP for itself, there’s NO need for any other IPs or complexity.
Using Containers, I may have to use 20, 30 or even 50 different IPs and Networks, to get the same effect as before. Supporting this won’t be easy! I consider myself Network agnostic, after working with so many networks, it’s not a real issue for me. However, I do like correct & complete documentation, and this is where the work increases!
Besides which, I can just imagine a mail server using 10 or more IPs… (Dovecot, SMTP, Webmail, Database for Webmail, add in NextCloud / SoGo / WebTop including their needed Databases…)
The BIG headache may be getting correct DKIM / SPF / etc working for mail - with so many IPs!
My 2 cents
Andy
3 Likes
It probably would be good to clarify what kind of containers we’re talking about–LXC, Docker, something else? I don’t think a system using LXC containers (at least, if they behave as they do under Proxmox wrt networking) would make a very good replacement for Neth.
In that case, doesn’t Docker ordinarily create its own network? You then need to deal with exposing/forwarding ports for the containers, but you aren’t eating up IPs on your green network.
Docker does create it’s own network - somewhat uncoordinated…
And that’s where problems can crop up. Not for a private home user (rarely), but in SME and larger environments, using 10.x.x.x or 172.x.x.x networks…
I had one experience which took two days to solve…
A Docker Container picked the IP of the default gateway (And dhcp server). After starting up, no network… 
No infos before, an unusual network for a home (172.30.31.0/24)… And yet it screwed up classically!
My 2 cents
Andy
We what to keep it, but probably not on the same base system.
We can overcome the shorewall issue, but the hardware is the real problem. In the future firewalls will probably be smaller machines (arm based?), and CentOS 8 doesn’t quite fit well on tiny hardware (/cc @Conan_Kudo).
But you had to manually configure every applications and this is what NethServer is doing for you out-of-the-box. I think that @pike described such process very well.
Containers could be just a different implementation of NethServer modules but we still need all the glue to keep many pieces together as correctly highlighted by @danb35 and @robb.
I just want to reassure @Andy_Wisme: all the network mess should be hidden from users eyes 
Regarding the container engine, probably the choice will be podman since it is already integrated in RHEL.
3 Likes
This should not be an issue in the near future. There is active work to slim down and better support ARM SBCs with CentOS by the AltArch SIG. Pablo Greco in CentOS has been doing that work, and it’s making decent progress.
2 Likes
Personally speaking, I think switching to nftables would be worth it, given how it improves handling complex rule sets and integrates functionality that was split across a range of different netfilter interfaces, but if you’re already not using an abstraction that makes that easy to do, I could see you wanting to keep the older way with iptables, ipsets, and so on.
Out of curiosity, is that for anything beyond PHP? Because Remi Collet still offers SCLs for PHP for CentOS 8. Python Application Streams are parallel-installable already, and the Developer Toolset for C/C++ still uses SCLs.
1 Like
IMO; Nethserver should be a one fit all solution but smarter than other.
Nethesis understand the SME; it should stay in that scope: firewall, file server, mail, chat, collaboration, backup, VoIP, …
Container
- All applications should be relay to container (LXC, PodMan, Docker, CRI-O, Kata, …)
Perhaps, something like Kubernetes seams to be more futuristic-proof since is allow SUSE, RedHat and Google look that way. It also remove a lot of PoF.
Cluster
- Focussing of Decentralization and Hybrid infra such as easy to make inter-site-connection, cluster and failover. Maybe something like WireGuard or IPSec, Gluster-FS or CEPH.
Security
- Something like NethSecurity aka Gateway functions such as UTM, ThreathShield
I read earlier, multi tenancy. That was often a show stopper for me, that and Apache.
4 Likes
I think that multi tenancy/multi domain/multiple user base will never be considered as an option for development.
This will be ideal for service providers, but won’t fit most of end users. Adding a multi layer maze of complications due to mix and match userbases, domains, applications, modules that should be accessible for one but not for other, branded in one way on one side and in another way on others. And with “tenant level” administrative users, if requested.
Do you remember old phone switchboards?
If you can image that in nine dimensions, you’re way smarter than me. In any case, this complexity must be strained in two, maximum three dimensions for allowing “server owner”, “tenant admin” and “user” to access without parkouring internet. And believe me, someone will ask you in few days to sub-sell a part of the product they buy. Billing as detonating cherry on top?
With IPv6 support, multiwan, full fledged NAT and containers (or virtualization), you can have quite the same level of segmenting the product. If you agree with me, a real hypervisor with a powerful firewall can make NethServer a pure application server, with enough public IP address.
Again: v6. Or the next generation will be the last.
6 Likes