NS8 - Question of understanding

giacomo · September 19, 2023, 10:21am

I think so.
Containers are not normal linux distributions.
Please take some time to read how rootless containers work:

So, if you want to copy from a container to another, you need:

an external rsync process with correct rights
or a rsync process running inside the container along with other processes (and regarding this there is whole another world of doc)

I’m not sure it’s mentioned in the above links, but in this architecture you also need to take into account SELinux permissions.

schulzstefan · September 19, 2023, 10:38am

Could you give an example for an external rsync process with correct rights? For i.e. a share in Neth8? Source would be i.e. Neth7…

schulzstefan · September 19, 2023, 11:14am

I took a closer look to the links you gave me.

It seems to me, that containers may give you a so called flexibility adding different programs to the enviroment. Besides the argument of a better security.

Right now I do also come to the conclusion, that with podman things are getting very complicated when it comes to move data. Interesting question is surely handling (restoring) email and ibays (shares). Question: what will any kind of ransomeware doing sailing in in/with email?

And I do have the feeling, if the road is taken with Neth8 the way back or changing the distro could be extremly painful. It seems to me all this is not really compatible with any other distro. At this point the argument of beeing free to choose an underlaying OS, is not counting anymore.

Another important question for our companies is how to install the firebird database and connect to users and workstations. This would be essential because of our ERP software. In other words, if this will not work, I have to stop working with nethserver.

Only speaking for me - not sure, if I want this (for my company). A linux standard server seems much easier to me. O.k. I admit - over years I’m used to this kind of server. I’m getting scepitcal…

giacomo · September 19, 2023, 12:46pm

You can find an example inside the migration, this is for the shares: nethserver-ns8-migration/root/usr/share/nethesis/nethserver-ns8-migration/apps/account-provider/ad/migrate at master · NethServer/nethserver-ns8-migration · GitHub

For the receiver part, take a look to the import-module: ns8-core/core/imageroot/usr/local/agent/actions/import-module at main · NethServer/ns8-core · GitHub

I don’t get the question. Can you please explain it a bit?

Why not? NS8 is automating the container configuration: there is not lock-in. If you want to leave NS8, you could even get the images and volumes and move them under docker running on MacOS.

You should explain better the requirements. What are you trying to achieve? Nowadays almost everybody ship a container. If there is an OCI image, NS8 can run it.
Take a look also at docker hub: Docker

It is. I also still prefer a plain Linux server. But times have been changed and containers are here to stay for a long while. Most advanced software are only available on containers and, sometimes, they even need complex architecture like Kubernetes to run smoothly.

schulzstefan · September 19, 2023, 2:03pm

giacomo:

schulzstefan:

Could you give an example for an external rsync process with correct rights? For i.e. a share in Neth8? Source would be i.e. Neth7…

You can find an example inside the migration, this is for the shares: nethserver-ns8-migration/root/usr/share/nethesis/nethserver-ns8-migration/apps/account-provider/ad/migrate at master · NethServer/nethserver-ns8-migration · GitHub

For the receiver part, take a look to the import-module: ns8-core/core/imageroot/usr/local/agent/actions/import-module at main · NethServer/ns8-core · GitHub

So it’s complicated to move data.

schulzstefan:

Question: what will any kind of ransomeware doing sailing in in/with email?

I don’t get the question. Can you please explain it a bit?

AFAIK ransomeware is encrypting all samba shares. How to restore from an earlier backup all shares? In 2018 we isolated Wannacry. Out of curiousity I wanted to see how this virus works. I built a VM and let it in a sandbox linux SME server go. It took only minutes and all shares were encrypted. The restore of all email and all shares from a safe point, took roughly two hours. How will NS8 in this case be affected? Only samba (docker) shares? What else could be affected? Where would be the difference to a plain linux server with samba and email? Where are the advantages?

schulzstefan:

At this point the argument of beeing free to choose an underlaying OS, is not counting anymore.

Why not? NS8 is automating the container configuration: there is not lock-in. If you want to leave NS8, you could even get the images and volumes and move them under docker running on MacOS.

I highly doubt this to be easy. This would be the very first time to migrate IT with a finger-snip.

schulzstefan:

Another important question for our companies is how to install the firebird database and connect to users and workstations.

You should explain better the requirements. What are you trying to achieve? Nowadays almost everybody ship a container. If there is an OCI image, NS8 can run it.
Take a look also at docker hub: Docker

This is a bit of a jump. There’s no official firebase docker. I mean an ERP software is absolutely essential for a company. No need to explain more.

Well, everyone has different riquirements, of course. For SME I’d like to point to SME server. The mother of all SME server was the e-smith server. I’d like to say, this is still valid to me.

schulzstefan:

A linux standard server seems much easier to me.

It is. I also still prefer a plain Linux server. But times have been changed and containers are here to stay for a long while. Most advanced software are only available on containers and, sometimes, they even need complex architecture like Kubernetes to run smoothly.

Of course it is. And times are always changing. As I stated before - containers may be good for devs and commercial proposes/intentions. And maybe, this architecture is developing and staying. Right now for me this technique is a huge challenge.

Finally: taken from the homepage of Nethserver:

Small Business Linux Server Made easy.
… designed for small offices and medium enterprises.
… simple
… solid

With NS8 I don’t see this clearly right now. Anyway, I will do more testing with our needs. No decision is made right now.

schulzstefan · September 19, 2023, 2:09pm

Mhmm: kubernetes - yes or no?

A good question: is this still SME?

giacomo · September 19, 2023, 2:20pm

In this area NS8 (or container in general) behaves like NS7 (or a normal Linux distro): if a file is accessible from a client, it’s also accessible by a cryptolocker running on that client.

The backup in NS8 is done by restic: it’s encrypted and not accessible by the container.
If you need to restore the mail (or the share), you can just restore the single application:Backup and restore — NS8 documentation

Never said it’s easy But you can do it: no lock-in.

I think it’s not, this is why we build NS8. But the IT world is trying to push K8S also for SME.

schulzstefan · September 19, 2023, 6:00pm

Uhmm, allow me the question: is NS8 for the IT world, or is it meant to be useful for small medium enterprises? Neth7 was… (at least for me).

Please, no marketing speech - what/where are the improvements/benefits for a small/medium enterprise stepping from NS7 to NS8? All I see at this very moment - things are getting complicated with NS8. Way too much to take care for not being a full time sysadmin.

You probably gave the answer already:

No more SME…

schulzstefan · September 19, 2023, 6:02pm

What, if I don’t want to restore an application? Why should I do this while I want to restore a few files only?

schulzstefan · September 19, 2023, 6:05pm

@giacomo

You don’t take this personally, do you? These are just my thoughts - I don’t want to blame anybody in here.

Andy_Wismer · September 19, 2023, 8:36pm

Hi @schulzstefan @giacomo @alefattorini

As almost anyone here knows, I’m a fervent supporter of virtualization and containers, absolutely.
→ I do accept docker, more out of necessity than approval!

Why this?

Docker, while helping to solve a lot of existing issues, as such has introduced a few - for lack of a better word I’ll call it “mentaltity” issues, that actually worsen a general situation than improving it.

Examples:

Security general:

Programmers take up the attitude: Oh, great, I don’t NEED to worry about security, my app is alone in it’s docker container…
What happens to simple universal tools like rsync has been detailed enough above…

Hardcoded application IPs:

Often, also sadly in the case of NS8, certain “hardcoded” IP, often entire networks are used, without any word of warning to users, that this can present minor or major problems, if your LAN happens to be running on such a network…

Hypothetically wondering what happens if the internal 10.5.4.0/24 IP used in NS8 node for WG-VPNs happens to be the LAN IP of the site installing NS8 as sub-node or primary site?

IP conflict for default gateway?
Difficult to find routing errors?
worse issues?

Worst of all, such programmers do not even bother to place such information eg in the system requirements. For NS8, you need to read a LOT before finding this small detail…
PS: I found the information here:

I couldn’t find much info in the latest Admin Docu for NS8 about the used IP. or internal VPN…
https://ns8.nethserver.org/en/latest/index.html

→ Hint intended for @alefattorini …

As to running “a simple linux server” - for me it greatly depends on tasks, requirements, and using the right tool to solve a problem or need.
As an example, I make a big use of SBCs like Raspberry PIs and Odroids for certain tasks - including Home Assistant (I’m a great fan of Home Assistant, too!).

Home Assistant runs basically in the present suggested mode as docker orchestrator, similiar to NS8.
The IP network 172.30.33.0/24 is used internally. In this sense, there is hardly any word of warning about this to users, especially home users and supporters. I personally had to help 3 users using that IP range by pure chance for their home network. This actually caused IP conflicts, as the IP was exposed externally, due to bad firewalling / configuration, etc…

→ This lack of information about docker-internal IPs should NOT happen!

As long as it’s clearly stated, eg in the form of:

This docker application uses IP ranges: 10.x.x.x/24 etc, this could cause issues if this network is locally used eg as LAN…

I do agree that 10.5.4.0/24 is an “obscure” network, but there are plenty users here using a 10.x.x.x network without any real need (like having several sites or over 100’000 IP users in their networks!

Yes, there are people who like to use “obscure” IPs for their networks, either out of security by obscurity mentality or some other reason or need…

This may not be best practices in networking, but it’s all still legit according to the RFCs!

And, yeah, I’ve often stated I’m a networker, not programmer!
and as such, I’m playing the part of devils advocate ( Advocatus Diaboli) - from a network vantage point!

My 2 cents
Andy

giacomo · September 20, 2023, 6:55am

For now there is no such feature, but since everything is inside the restic repository, it is possible to extract single files.

Usual network conflict problems

It’s not a requirement, it’s a configuration: you can change the network to fit your needs.

The network is presented at first configuration wizard with a note:

If you think we can improve the page or the doc, I will gladly try to fix it with suggestions!

Most rootless modules, and all rootfull ones, use the IP of the network interface. Some rootless modules uses the internal network for pods, using the default configuration (it may vary on different distros): podman-network — Podman documentation
But this network is inside an isolated namespace (normal applications can’t see it), so I never encountered network conflicts.
Please bear in mind that, to avoid such conflicts, NS8 explicitly require the network host for rootfull modules.

Network is hard and I agree with you that we might need some tweaks or documentation to cover most common cases. But we are trying hard to avoid conflicts as much as possible!

Andy_Wismer · September 20, 2023, 7:34am

@giacomo

The information about the needed network for VPN, including the used default IP AND the information that this can be set at installation time should be somewhere in the system requirements.

If a newbie installs NS8 on his home Network, which uses 10.5.4.0/24 (With 1 as Gateway), what will happen?

The newbie will probably click accept on the VPN IP page - yes, that IP looks familiar - and thinking of a “bridged” VPN, does the installer-system recognize the possible conflict?
Does the newbie get warned, the install denied (IP-conflict)?

My 2 cents
Andy

capote · September 20, 2023, 11:32am

Maybe you can implement a check between the existing LAN IP range and the proposed VPN IP settings to avoid such conflicts? After the check is done, only conflict-free VPN settings will be suggested and if the user wants to manually configure wrong IP ranges, this will be prevented.

michelandre · September 20, 2023, 12:15pm

Hi all,

I think that the DHCP, before it leases an IP, checks if it is in use.

Why not doing the same ?

Michel-André

stephdl · September 20, 2023, 2:55pm

Probably this guy should go to bet money he is really lucky to find this network on 16 millions possible ip (eg /8)

schulzstefan · September 26, 2023, 6:36pm

How? More in detail: How to a different linux system/server? I read this you gave me: How containers work. Practical advice please.

davidep · September 30, 2023, 8:30am

6 posts were split to a new topic: NS8 configuration template system