COBOL and FORTRAN are far more powerful than PASCAL, TurboPASCAL and descendants. But they are… “costrained” into their worlds.
At least Delphi is… a bit wider. Anyway, i was thinking that Delphi was dead, but Embarcadero Technologies proved i was wrong.
So anything really on topic lately?
Just a little heads-up, as we are going to slow down the development of NS8 during August 
During the past weeks we updated the docs a lot. We didn’t finish, though! More about UI is about to come.
ns8-core/README.md at main · NethServer/ns8-core · GitHub
Still early for that. Hopefully we’ll meet in September 
Yes, the install.sh script is documented and easy to run on any Debian 11 or Fedora 34 system. I don’t know what kind of idea you can get from a running system though… The UI is still in a mockup experiment state. Additional software needs console commands. It’s still a hard prototype experience!
However here’s a brief list of what we did in the past weeks (disclaimer: it’s something that is not even alpha - everything can change)
- Dokuwiki module
- Traefik HTTP reverse-proxy configurable by other modules (e.g. Dokuwiki)
- Traefik API for Let’s Encrypt certificates. Really easy to get the server FQDN certificate!
- UI prototype mockup
- Loki/promtail centralized log server
- Samba account provider, yes with multi-DC setup
- Online applications/modules index (where Software Center gathers applications info) GitHub - NethServer/ns8-repomd: NS8 modules index metadata repository
A more detailed list is available in the “Done” column of the Trello roadmap board: Trello
Some important differences from ns7
- E-smith is no longer there. No “official” template engine. The
expand-templatecommand of ns7 has no substitute. Events and actions are a completely different thing too. - Multi-tenancy: the platform is not designed for multi-tenancy, however NS8 is already a step forward in that direction, because applications are free to support it. For instance, it is already possible to install multiple Samba domains in a NS8 cluster.
- Distro agnostic (still). Both Debian and Fedora are good by now. In the near future, I’m curious to see if CentOS Stream 9 at first, then RHEL 9 and derivatives, can replace Fedora 34.
7 Likes
FWIW, Fedora is a “no way” for setup even a test machine.
Personal opinion.
I have no expectations on the functionality at all 
Just trying to understand what you dev’s are working on.
Never having used docker, podman was already a steep learning curve. Maybe after the crash-course @Andy_Wismer gave me this weekend on networking ill be better equipped to understand what treafik does. 
So for me a UI would get in the way trying to understand the internals anyway. 
However it is a good development environment.
3 Likes
I forgot to mention that. So long, Mitel Networks and SMEServer. I think it has been quite an important part of these experience.
I’m sure it’s considerably lower-priority than getting the system working in the first place, but I hope (and trust) serious attention is being given to the question of migrating an existing NS7 installation to NS8. I’m sure it will have to be backup/install/restore–I can’t imagine migrating in-place to something like this–but there’s going to have to be a robust way to do this.
But also, a reworking of the system like this sounds like a good opportunity to integrate a SSO/IAM system, and use that as the one backend to rule them all. LLNG is available in Docker containers; it would seem to be a good fit here.
1 Like
IMVHO, @danb35 this could lead to something that maybe Nethesis don’t want: the lack of capability to connect to external SSO/IAM, which SSSD gave to NethServer.
Many people are using NethServer as “network core”, but not everyone want to change their current Informative System for connecting another server.
Moreover: sometimes having separated login processes (and no SSO) may help to let not access to some functions of the server people that are not supposed to.
I’m happy that word is still appealing 
By now, “cluster” in NS8 is all about sharing configuration and accounts among multiple nodes.
- The configuration is stored in the Redis DB: NS8 has a “leader” node and can have additional “worker” nodes. The administration UI changes the configuration DB. Agents running everywhere pick up the configuration and apply it. One module, one agent.
- Account providers design is still really experimental. We are evaluating this approach: no more SSSD, no more Unix user accounts: applications access LDAP directly. Each node has a LDAP replica running locally (if the account provider is local, of course). AD is natively multi-master and we have a working multi-DC configuration. OpenLDAP multi-master is possible and widely documented too (still we didn’t implement it).
Further clustering of modules/application instances is possible, but not planned by now: we are focusing on the core platform.
We are discussing how to deal with connectivity problems among nodes: having local replicas should ensure that services continue to work in any situation.
It is one main goal. Still to early to say how, but a possible approach is leveraging another feature we want to put in the NS8 platform: module/application migration from one node to another. Moving applications around is part of the daily sysadmin job: we want to ease it!
I’ve no direct experience, so don’t mind me. It is interesting but the additional complexity is a bit scary. I read in another thread that it can be important for Mattermost integration too: that’s a good point. I agree it would be nice to have it as alternative account provider configuration. Applications that support it could then bind to it and enjoy SSO.
Yes, NS8 still allows remote account provider to integrate existing systems.
Exactly! In NS8 the admin UI has a separate users+authentication DB.
7 Likes
Would really love a proper DNS (all types of entries, multi-zone etc.).
4 Likes
Well, luckily a DNS service is not required by the core services. To keep it as simple as possible we consider DNS as a service provided by someone else.
It would be nice to integrate with DNS providers to ease the services configuration.
This does not conflict with a DNS module running in NS8 itself, as a public service too. It would be nice to have.
To evaluate a development effort
- Does the module provide a configuration UI? Do we need to develop an UI for it?
- Do other modules need to integrate with the new module? Does it provide a (standard) API/protocol for that?
1 Like
As said, BIND is still the standard implementation of a DNS server, and has been the reference since day one.
I’ve myself intensively used BIND as a provider in the early 2000s, and it works very well, need no database or any critical stuff other than a “zone” folder, where zone configs are kept.
A simple example of a well working WebGUI for BIND is available for example in Jamie Camerons Webmin, a tool I’ve also used a lot.
I also installed BIND on NethServer’s predecessor SME-Server, and installed Webmin there just to administrate BIND.
BIND can handle every specific requirement of a DNS Server - it still is the reference implementation!
Manual file handling takes a lot of know how, and precise implementation, the syntax of the zone files are critical!
To make things more impressive, on could think of the global DNS as a sort of global database. But this database has millions of Admins, and most of them NEVER communicate with one another…
Yet it still works very fast!
I can provide tips, knowhow and experience to handling template files for BIND.
My 2 cents
Andy
3 Likes
On the contrary, that’s directly in the scope of the IAM solution–it can set access rules for each application, such that only the appropriate users have access to any given application.
I think my interest was more along the lines of a redundant cluster, something like hotsync on steroids–or maybe even an arrangement where two systems would be “live” replicas and could load-balance. Sounds like that may be down the road, if at all.
I agree it adds a layer of complexity, and it isn’t a trivial one. OTOH, it’s a significant boost to security (applications can’t leak credentials, as they never have them) and application capabilities (want YubiKey support in Roundcube? No problem!). And I believe it can also act as an LDAP proxy, though I haven’t really looked into that so far.
For this to be as useful as possible, we’d want to have as many of our applications as possible “speak” some sort of SSO protocol, and the real question for me is whatever is going to become the new server manager/admin GUI. Understanding it’s early, what’s the intent with that? Write something custom, a la Nethgui? Adapt an existing project (like Cockpit)? If the latter, which (if any) candidates are being considered?
That would be a good alternative, though you’re then limited to DNS providers with APIs–though Cloudflare continues to be an excellent option in that regard. I’d posted this request the other day:
It was motivated by the way CyberPanel and Mail-in-a-Box handle DNS–they both expect to be configured as the authoritative DNS servers for their domain, and they then automatically create the required records. In the case of MiaB, that’s over 50 records for a single domain (I posted the list in the topic linked above). There’s no way we’d trust an admin to get all these right, but if we’re serving them ourselves, no problem. I hadn’t considered integration with an outside DNS host, but that could accomplish much the same thing.
2 Likes
Unless I’m mistaken, Debian 11 doesn’t exist yet–certainly Debian doesn’t seem to think so:
https://www.debian.org/releases/testing/releasenotes
Funny how Proxmox are using a non-existent release as the basis for their latest release (which definitely does exist)…
Not mistaken. It it supposed to be officially released in mid August (although there’s a testing version).
Funny how Proxmox is ahead but explained why (at least bullseye repos seem to be prepared):
Q: Why is Proxmox VE 7.0 released ahead of the stable Debian 11 release?
A: The Debian project team postponed their plans for the May release mainly due to an unresolved issue in the Debian installer. Since we maintain our own Proxmox installer, we are not affected by this particular issue, therefore we have decided to release earlier. The core packages of Proxmox VE are either maintained by the Proxmox team or are already subject to the very strict Debian freeze policy for essential packages.
(Excuses for being a bit off-topic)
3 Likes
I am not a developer, just an end user who has been using e-smith/mitel/smeserver software for over 17 years. I am just now upgrading from Koozali SME Server to Nethserver. I would like to offer these thoughts:
- I 100% agree that the priority is:
So nothing should be cloud based unless that “cloud server” is your own box that you control 100%.
-
As much as I have loved CentOS over the years, I am very concerned about the new direction it is taking and am not convinced it is a reliable base for future development use. I have always preferred CentOS servers and Debian/ubuntu desktops. Now I am worried about the long term prospects of CentOS severs. Perhaps it is time to consider a more reliable base distro.
-
I recognize there is tremendous value world wide to have an all in one solution “firewall/router/vpn server/file server/web server/mail/PBX server etc.”. Almost any 10 yr old hardware can handle that, and that may be all that is affordable for many struggling start up small business or developing world needs. But as the complexity and added functionality to nethserver grows, the vulnerability of that all in solution grows.
I myself have never used it as a firewall/router/VPN server. I have always used OpenBSD/FreeBSD monowall/Pfsense firewalls to face the internet and SME Server to be file, web, and mail servers. I think all PBX asterix servers need to be behind a physical firewall. Small low energy and low cost appliances or old used computers excel at that firewall need. I used a 14 year old 1.6Ghz core 2 duo computer with 2 gigs of ram and 2 nics as my firewall/VPN server at home to handle 100Gb internet and a permanent site to site OPNvpn connection to my office and it did fine for years. I upgraded to a used 2 Ghz 4 core amd A6-5200 and it now maximizes 150Gb throughput and handles all the encryption needs.
Perhaps it is time to consider splitting the system into separate firewall and server modules. They can be combined if all you have is one box, but are ideally separate for more security - but configured to be mutually compatible and configurable. Again I’m just speaking as a long term user who just knows enough to be dangerous in his wish list - not as a developer who knows how to do it.
SMEserver/Nethserver has always been modular in the sense that it allowed you to be local server only, or internet server and local server. But it always presupposed it was the firewall and internet server in one box. Perhaps its time to rethink that presupposition.
1 Like
Hi Paul
I don’t know what the next NethServer will entail. ATM, if I have the info right, it’s being developed on Fedora, but Debian 11 is a working candidate to run the “Alpha”, if it can be called that. It will be more or less platform agnostic. I trust our Devs here to make a good job out of NethServer 8, and a working migration path…
As to the firewall / server combination: Even MS dropped that from SBS, now even SBS has been dropped.
The BIG disadvantage of an all in one box including firewall: If something Not-Firewall related screws up your server, you won’t have Internet to diagnose / solve that maybe minor issue… 
My 2 cents
Andy
4 Likes
I would hope at this point with Rocky Linux being released, and a with a CentOS conversion script in the works that NethServer 8 will be available on Rocky as a quick and easy update! Hopefully that becomes a reality as I personally prefer the RHEL based arch, but I can’t speak for anyone else.