NethServer 8: planning an evolution

@cfd10

Hi

As mentionned by the devs above, it certainly won’t be a RHEL8 clone…
Earliest will be a RHEL9 - or another distro… It may be even distro agnostic…
Prefer Fedora - easy.
Prefer RHEL clone same.
Debian anyone? sure!

Even if distro agnostic - it won’t run on Windows! :slight_smile:
(Not without virtualization)

At the moment, AFAIK, development is done on Fedora.

It won’t be an upgrade, it will probably entail a backup / restore…

My 2 cents
Andy

It depends:
There is a big advantage of having all in one box: Simplicity of management and maintenance and a single hardware box without additional virtualization. So the possibility to have all in one box is very helpful.

With NS having these capabilities, it possible to have two more Nethservers, to separate firewall and other applications. I have a NS with (onlymost) only firewall and other services on a other Nethservers and use the reverse proxy to forward request to the specific servers.

In another application I use it all in one, because no seperate hardware, no virtualization.

And in still another application I use only the firewall and openvpn part, as NS is also a very good firewall distribution…

@carsten

Hi

I see an all-in-one box as a BIG disadvantage…

A bit like Monocultures in farming.
If there’s a serious “system” problem, you’re down, maybe even ALL boxes…
And no Internet except for mobile hotspot…

And, instead of reducing hardware, I’d need to MASSIVELY increase hardware, maintenence and more! Most of my clients have / need next to NethServer more Windows & Linux Servers. I’d need to waste money / time for Windows backups / disaster recovery. No way!

Add on top of it “natively” installed Servers directly on Hardware. That’s like going back in time - and being stupid again. No, I will NOT install a productive server natively!
No snapshotting, fiddling around with restore for disaster recoveery, driver crap, hardware migration problems, etc.

If it works for you, fine. One size does NOT fit all!

If I were to implement a single box (say for small clients), I’d probably lose all my clients, and a short while later, they would all be running Windows! And a seperate firewall box, probably commercial. A great service for OpenSource!

My 2 cents
Andy

1 Like

The discussion is about what NS should offer. Currently it offers all from having all in one on one single hardware installation to splitting everything up into lots of subservers and this could be hosted on a virtualization platform. I strongly like this flexibility that NS should keep this and not forcing users to have more than one real or virtualized server.

With this all on one solution I can also have several virtualized customer server on a single virtualizeation platform. One customer - one server, which is much easier than having multiple server for a single customer.

I also use almost everything virtualized, but as I learnd you also use hardware for the firewall (but not NS). So a NS hardware box with only firewall (any maybe very few other packages) would be an application for NS on pure hardware.

As said it depends on the project and customer, and NS has the BIG advantage of giving the choice from simple all in one to more complex multi server configurations.

1 Like

@carsten

Hi Carsten!

Make no mistake, I fully agree with this statement:

Sorry, but NethServer is NOT a viable virtualisation host in my opinion.
There are hardly ANY integrated tools like Backup or whatever.

It does work, but in my Opinion NOT really usable. Proxmox is sooooo much stronger than this.

As a firewall, the DNS isn’t usable in NethServer, the DHCP has plenty of limits and “gotchas”.
No possibility to set up CNAMES, MX, PTR or a lot of other options.

The DHCP allows for one scope, finished. No option for a per host/client differing setup, if needed.

I love NethServer, but I do like using a “best of breed” strategy in my Networks.

And at the moment, Proxmox is for me by FAR the best Hypervisor. (And no, I will NOT run file server stuff like NFS / SMB on Proxmox!). Live backups of almost any OS including Windows, File / Folder restore for Windows and Linux, Incremental Backups of VMs, full HA Cluster, possibility for hardware independence, and much, much more. All stuff NethServer doesn’t have.

OPNsense is my choice of best of breed OpenSource firewall, and handles for me the perimeter firewall and network. It has all the options I need, and far more. Wireguard? No problem, even with GUI. NethServer doesn’t have that option. I can install Wireguard on NethServer, but that’s not officially supported on NethServer, there isn’t even a GUI for that. Full internet provider failover AND hardware HA with CARP is something NethServer doesn’t yet offer, but is something I use at more than one client!
Disaster recovery on Neth is NOT as smooth as for example in OPNsense. There, even on different hardware, I ONLY need to allocate the NICs, nothing else. A single config file (No data!) is all that’s needed. NethServer needs both for a successfull restore to different hardware. And even then, it’s not always smooth, and the more NICs, the less smooth.

NethServer is for me the best All-in-one, but without firewall. I will confirm that NethServer’s firewall work very well, including OpenVPN, but for me and my clients, a firewall box is needed. And one WITHOUT any AD or even the possibility to install AD!

However, I do agree that NethServer should have all options as now, but firewall is NOT critical for me. Nor will I ever use virtualization in NethServer.

How do you achieve DNS with NethServer, if you need eg. CNAMES? I used to create more A records instead of CNAMES, but stopped that when I saw that NethServer will hand out PTRs randomly: Any of the A records will become the PTR, but usually NEVER the one you want or need!

I could install BIND on NethServer, but I’d have no GUI available… :frowning:
Webmin would work with BIND and provide me with a GUI, but I could just as well use OpenBSD (Or anything else) and Webmin…

DHCP is less critical for me, but I still find it quite limited!

My 2 cents
Andy

PS:
I do have a PCengines spare box, and a spare 1-2 SSDs for that, so I’m also playing around with a minimalised NethServer on a APU4D4 box.
I also am playing around with Raspberry, PImox (Proxmox on a RPI 8 GB) and including NethServer (and OPNsense!) as ARM versions.

It’s always good to keep looking over the fence, and see what’s interesting and upcoming!

An APU4D4 box with WLan, and several SSDs (for playing around with different systems)…

3 Likes

I agree with @carsten here, of course @Andy_Wismer is right, more servers for different services are better, but some customers, for example non-profit associations, don’t have enough money to by expensive hardware. They use a cheap workstation as server, there you don’t have any chance to run more then one server.

I also use Proxmox as virtualization. You misunderstood me: I was talking about having several NS hosted in a virtualization platform like promox not about NS as a virtualization platform.

@m.traeumner

Hi Michael

If specific servers are needed, there’s not much choice, a lot of companies use eg Windows based ERP systems, but there is also a lot of specialised stuff out there. All this stuff can run virtualized…

And for a virtualisation hardware, there are a lot of cheaper options than a full blown HP or Dell server.

I do have a non profit organization (Animal / Dog care), they’re using a HP Microserver Gen10 with Proxmox…

And at the moment, I’m looking at this board, with very good performance as Proxmox:

https://www.mini-itx.com/~C3758D4I-4L

I installed Proxmox for one of our members here with Anydesk on the smaller brother of this board, and was quite impressed! The system had 4 seperate zfs mirrors… 4 NICs, 32 GB RAM, Quad Core CPU with total 4 threads.

My 2 cents
Andy

1 Like

@carsten

Hi Carsten!

Not quite, I did understand what you were saying, but I also wanted to point out where I think NethServer is lacking, in some places quite severly!

  • DNS
  • DHCP
  • Virtualization
  • Firewall

This due to the reasons stated above.

And to be honest, I actually like the DNS / DHCP implementation in NethServer, but I really need correctly working CNAMES and PTRs, among other things!

My 2 cents
Andy

1 Like

Thanks for your answer and the link, it’s very interesting, but not for the customers I mean, they have bought a used 150 € dell workstation, there runs a virtualization for easier snapshots and image backups, but a second guest is not really possible.

1 Like

Question is: which services they can afford down, if this “one server” is down?
Money is only a part of the equation, money is part of the resources that a manager can put in that kind of problem management. Time, people, disservices rising during problems, necessities (this cannot stop) and utilites (this service can stop for that time and it will generate this kind of issues)

FWIW i agree with @Andy_Wismer about “virtualizing/containering should not be default”, as stated in other posts. This works for some kind of app/services like email, and applications servers, and others totally don’t (IMVHO the most unsuitable is NextCloud, due to disk consumption, but that’s not the only one).

Moreover, switching from “one man band scenario” against “container organizer and deployer” could put NethServer into another list of concerns
which are the competitors with far more container service knowledge?.
how much overhead there will be for computational power, memory, network traffic and disk consumption?
backup will be “whole system only at once” or will be cherry pick managed, if necessary for the design setup?
Can the backup module act a network backup service orchestrator for the containerized applications?
Will there be loss of granularity compared to current backup solution?

I’ll look interested to the experients, but i am really concerned about the overhead and dependencies. Now it’s a service, tomorrow may be a container. Which I don’t know how it will be considered “the right one” for the system.

Moreover… a bit of theory…
For instance, my “future” NethServer 8 will have a container as mailserver… which should also be my SMTP server. And the “host” is using (wisely, IMVHO) this mailserver as SMTP server for delivering notifications. I should have a notification in case of problems. Which shoult be… the container. Which is the problematic container.
Moreover… Maybe the subscription with monitoring can work around the problem, and also the problem may be the same if the SMTP server is a service on the host, instead of a container/guest system… An this kind of problem may be related to my poor design, i can relate with that.
So for the monitoring of nethserver is should use another SMTP service like the free ones (Yahoo, gMail, protonmail, whatever…)
And this should be a good design for system and services? If there’s a problem with internet, the alert could fail and i won’t have any future trace, unless log scrubbing and investigations.

Again… Maybe i’m the one who’s overthinking and overfearing about this kind of layout (someone mentioned that K.I.S.S principle is at the grounds of Unix and Linux, but simple sometimes don’t mean easy) but going full container don’t seem “simple” to me…

4 Likes

@pike

Hi Michael

To spin your “Mailserver” subject a bit further with failsafe monitoring and escalation:

A few logical rules…

  • The system monitors itself.
  • If any module (including mail) fails, an alarm is triggered, including a notification.
  • If it’s “any other” module, mail is used for notification
  • verification for working mail would be eg using an echomail test.
  • If mail is the problem module, either 2nd internal mail module is used (verified!), or external mail (Gmail, Protonmail, whatever) can be used.
  • If Internet is not working, then either automatic Internet Failover is activated (If available) OR only SMS notification is used, a simple mobile phone, connected via Serial / USB to the server for sending SMS.

I actually set up a system like this in 2001, for a financial institut which explicitely wanted “always working” alarming system, even if phone / internet lines were “cut”. (It was a smaller Bank, but I liked their thinking). Not easy, as underground, but a burglar drilling a tunnel could accidently damage the lines…

This kind of “scalable” failover provides for guaranteed notifications - and could even work in NethServer 7, let alone in a future, better prepared system like NethServer 8!

Echomail test:
Send a mail to echo@mailtestprovider.com - this is an external system for mail verification, can be self hosted (externally). The system uses a simple mail rule (sieve) to answer any incoming mail (limited by IP or account!).

My 2 cents
Andy

1 Like

Actually zabbix is monitoring well systemd service but you can monitor also containers, indeed to receive notification I do not not want email because my email server could be down, so I use telegram but even of that internet at my home could be down (even if I have also a 4G internet backup) but you could send sms notifications with zabbix with an USB stick and a GSM sim.

2 Likes

To perhaps drag this topic back into the realm of what’s actually happening with NS8, should the /cluster-admin work at all? Because I just spun up a Debian 11 VM, ran the install script, created a cluster, and tried to browse there–I get a 404 error. I read this as suggesting I should see something, even if it isn’t really usable at this point.

2 Likes

Ensure the URL starts with https:// and ends with /

Monitoring is still a wide open topic, ideas are welcome!

2 Likes

That was the issue. I assume https redirect is on the agenda as well.

3 Likes

Can I ask the simple question, of if there is an actual roadmap on NS8?
Is there any rough release plan?

Or is this still very well deep in brainstorming phase that “may happen” eventually?

Not to insult the team or anything, but sometimes looks like NS might “lose the evolution train”.

2 Likes

@NLS I don’t think that Nethesis is looking for cutting edge tech. Because cutting edge… hurts. Sometimes a lot.

Newer not always is better, moreover if a generational change is going to happen: you want to leave something stable for something else… at least at the same level of stability and functionality (more or less).

Dont’ forget than… CENTOS 7 has at least 3 more years of update, therefore NS8 IMVHO should be relased as “production” (IMVHO) 1 year before the EOL.
Starting from scratch, new installations will be a wonderful way for polish-up UI and other things. With time and user cases, migration scripts will evolve and be “polished and corrected” for flawless operations.

You can find everything here, including the roadmap.

We hope to have a preview release before the end of the year. Still, this is not a promise, just a “nice to have”.
There isn’t a real release plan, but like we did for NS 7 should be something like:

  • release an unstable release with new features
  • grab feedback, fix bugs
  • add must-have features (like backup&restore)
  • release a stable
  • implement the migration path
  • go on with the development

Again, this is just an idea, do not take it for granted :slight_smile:

6 Likes

Great, thanks!

1 Like