fullack
VPN
NS8 - cloud in a box
fullack
Making the swiss knive rsync complicated to use is in linux world a really big con. Not beeing able to easy transfer data from one linux machine to another with rsync, is a lack. Sorry to complain.
Easy backup and restore single files seems also getting complicated. Why? It’s essential to any admin to have an easy and fast process. Do I overlook something?
I think so.
Containers are not normal linux distributions.
Please take some time to read how rootless containers work:
So, if you want to copy from a container to another, you need:
I’m not sure it’s mentioned in the above links, but in this architecture you also need to take into account SELinux permissions.
Could you give an example for an external rsync process with correct rights? For i.e. a share in Neth8? Source would be i.e. Neth7…
I took a closer look to the links you gave me.
It seems to me, that containers may give you a so called flexibility adding different programs to the enviroment. Besides the argument of a better security.
Right now I do also come to the conclusion, that with podman things are getting very complicated when it comes to move data. Interesting question is surely handling (restoring) email and ibays (shares). Question: what will any kind of ransomeware doing sailing in in/with email?
And I do have the feeling, if the road is taken with Neth8 the way back or changing the distro could be extremly painful. It seems to me all this is not really compatible with any other distro. At this point the argument of beeing free to choose an underlaying OS, is not counting anymore.
Another important question for our companies is how to install the firebird database and connect to users and workstations. This would be essential because of our ERP software. In other words, if this will not work, I have to stop working with nethserver.
Only speaking for me - not sure, if I want this (for my company). A linux standard server seems much easier to me. O.k. I admit - over years I’m used to this kind of server. I’m getting scepitcal…
You can find an example inside the migration, this is for the shares: nethserver-ns8-migration/root/usr/share/nethesis/nethserver-ns8-migration/apps/account-provider/ad/migrate at master · NethServer/nethserver-ns8-migration · GitHub
For the receiver part, take a look to the import-module: ns8-core/core/imageroot/usr/local/agent/actions/import-module at main · NethServer/ns8-core · GitHub
I don’t get the question. Can you please explain it a bit?
Why not? NS8 is automating the container configuration: there is not lock-in. If you want to leave NS8, you could even get the images and volumes and move them under docker running on MacOS.
You should explain better the requirements. What are you trying to achieve? Nowadays almost everybody ship a container. If there is an OCI image, NS8 can run it.
Take a look also at docker hub: Docker
It is. I also still prefer a plain Linux server. But times have been changed and containers are here to stay for a long while. Most advanced software are only available on containers and, sometimes, they even need complex architecture like Kubernetes to run smoothly.
Finally: taken from the homepage of Nethserver:
Small Business Linux Server Made easy.
… designed for small offices and medium enterprises.
… simple
… solid
With NS8 I don’t see this clearly right now. Anyway, I will do more testing with our needs. No decision is made right now.
Most advanced software are only available on containers and, sometimes, they even need complex architecture like Kubernetes to run smoothly.
Mhmm: kubernetes - yes or no?
A good question: is this still SME?
AFAIK ransomeware is encrypting all samba shares. How to restore from an earlier backup all shares? In 2018 we isolated Wannacry. Out of curiousity I wanted to see how this virus works. I built a VM and let it in a sandbox linux SME server go. It took only minutes and all shares were encrypted. The restore of all email and all shares from a safe point, took roughly two hours. How will NS8 in this case be affected? Only samba (docker) shares? What else could be affected? Where would be the difference to a plain linux server with samba and email? Where are the advantages?
In this area NS8 (or container in general) behaves like NS7 (or a normal Linux distro): if a file is accessible from a client, it’s also accessible by a cryptolocker running on that client.
The backup in NS8 is done by restic: it’s encrypted and not accessible by the container.
If you need to restore the mail (or the share), you can just restore the single application:Backup and restore — NS8 documentation
I highly doubt this to be easy. This would be the very first time to migrate IT with a finger-snip.
Never said it’s easy But you can do it: no lock-in.
This is a bit of a jump. There’s no official firebase docker. I mean an ERP software is absolutely essential for a company. No need to explain more.
A good question: is this still SME?
I think it’s not, this is why we build NS8. But the IT world is trying to push K8S also for SME.
Uhmm, allow me the question: is NS8 for the IT world, or is it meant to be useful for small medium enterprises? Neth7 was… (at least for me).
Please, no marketing speech - what/where are the improvements/benefits for a small/medium enterprise stepping from NS7 to NS8? All I see at this very moment - things are getting complicated with NS8. Way too much to take care for not being a full time sysadmin.
You probably gave the answer already:
I think it’s not, this is why we build NS8.
No more SME…
The backup in NS8 is done by restic: it’s encrypted and not accessible by the container.
If you need to restore the mail (or the share), you can just restore the single application:Backup and restore — NS8 documentation
What, if I don’t want to restore an application? Why should I do this while I want to restore a few files only?
You don’t take this personally, do you? These are just my thoughts - I don’t want to blame anybody in here.
Hi @schulzstefan @giacomo @alefattorini
As almost anyone here knows, I’m a fervent supporter of virtualization and containers, absolutely.
→ I do accept docker, more out of necessity than approval!
Why this?
Docker, while helping to solve a lot of existing issues, as such has introduced a few - for lack of a better word I’ll call it “mentaltity” issues, that actually worsen a general situation than improving it.
Examples:
Security general:
Programmers take up the attitude: Oh, great, I don’t NEED to worry about security, my app is alone in it’s docker container…
What happens to simple universal tools like rsync has been detailed enough above…
Hardcoded application IPs:
Often, also sadly in the case of NS8, certain “hardcoded” IP, often entire networks are used, without any word of warning to users, that this can present minor or major problems, if your LAN happens to be running on such a network…
Hypothetically wondering what happens if the internal 10.5.4.0/24
IP used in NS8 node for WG-VPNs happens to be the LAN IP of the site installing NS8 as sub-node or primary site?
Worst of all, such programmers do not even bother to place such information eg in the system requirements. For NS8, you need to read a LOT before finding this small detail…
PS: I found the information here:
NS8 - cloud in a box
I couldn’t find much info in the latest Admin Docu for NS8 about the used IP. or internal VPN…
https://ns8.nethserver.org/en/latest/index.html
→ Hint intended for @alefattorini …
As to running “a simple linux server” - for me it greatly depends on tasks, requirements, and using the right tool to solve a problem or need.
As an example, I make a big use of SBCs like Raspberry PIs and Odroids for certain tasks - including Home Assistant (I’m a great fan of Home Assistant, too!).
Home Assistant runs basically in the present suggested mode as docker orchestrator, similiar to NS8.
The IP network 172.30.33.0/24 is used internally. In this sense, there is hardly any word of warning about this to users, especially home users and supporters. I personally had to help 3 users using that IP range by pure chance for their home network. This actually caused IP conflicts, as the IP was exposed externally, due to bad firewalling / configuration, etc…
→ This lack of information about docker-internal IPs should NOT happen!
As long as it’s clearly stated, eg in the form of:
This docker application uses IP ranges: 10.x.x.x/24 etc, this could cause issues if this network is locally used eg as LAN…
I do agree that 10.5.4.0/24 is an “obscure” network, but there are plenty users here using a 10.x.x.x network without any real need (like having several sites or over 100’000 IP users in their networks!
Yes, there are people who like to use “obscure” IPs for their networks, either out of security by obscurity mentality or some other reason or need…
This may not be best practices in networking, but it’s all still legit according to the RFCs!
And, yeah, I’ve often stated I’m a networker, not programmer!
and as such, I’m playing the part of devils advocate ( Advocatus Diaboli) - from a network vantage point!
My 2 cents
Andy
What, if I don’t want to restore an application? Why should I do this while I want to restore a few files only?
For now there is no such feature, but since everything is inside the restic repository, it is possible to extract single files.
Hypothetically wondering what happens if the internal
10.5.4.0/24
IP used in NS8 node for WG-VPNs happens to be the LAN IP of the site installing NS8 as sub-node or primary site?
Usual network conflict problems
Worst of all, such programmers do not even bother to place such information eg in the system requirements.
It’s not a requirement, it’s a configuration: you can change the network to fit your needs.
The network is presented at first configuration wizard with a note:
If you think we can improve the page or the doc, I will gladly try to fix it with suggestions!
→ This lack of information about docker-internal IPs should NOT happen!
Most rootless modules, and all rootfull ones, use the IP of the network interface. Some rootless modules uses the internal network for pods, using the default configuration (it may vary on different distros): podman-network — Podman documentation
But this network is inside an isolated namespace (normal applications can’t see it), so I never encountered network conflicts.
Please bear in mind that, to avoid such conflicts, NS8 explicitly require the network host for rootfull modules.
And, yeah, I’ve often stated I’m a networker, not programmer!
and as such, I’m playing the part of devils advocate ( Advocatus Diaboli) - from a network vantage point!
Network is hard and I agree with you that we might need some tweaks or documentation to cover most common cases. But we are trying hard to avoid conflicts as much as possible!
The information about the needed network for VPN, including the used default IP AND the information that this can be set at installation time should be somewhere in the system requirements.
But this network is inside an isolated namespace (normal applications can’t see it), so I never encountered network conflicts.
If a newbie installs NS8 on his home Network, which uses 10.5.4.0/24
(With 1 as Gateway), what will happen?
The newbie will probably click accept on the VPN IP page - yes, that IP looks familiar - and thinking of a “bridged” VPN, does the installer-system recognize the possible conflict?
Does the newbie get warned, the install denied (IP-conflict)?
My 2 cents
Andy
If you think we can improve the page or the doc, I will gladly try to fix it with suggestions!
Maybe you can implement a check between the existing LAN IP range and the proposed VPN IP settings to avoid such conflicts? After the check is done, only conflict-free VPN settings will be suggested and if the user wants to manually configure wrong IP ranges, this will be prevented.
Hi all,
I think that the DHCP, before it leases an IP, checks if it is in use.
Why not doing the same ?
Michel-André
If a newbie installs NS8 on his home Network, which uses
10.5.4.0/24
(With 1 as Gateway), what will happen?
Probably this guy should go to bet money he is really lucky to find this network on 16 millions possible ip (eg /8)
For now there is no such feature, but since everything is inside the restic repository, it is possible to extract single files.
How? More in detail: How to a different linux system/server? I read this you gave me: How containers work. Practical advice please.